Group SAML - Scheduled Pipelines Cannot Find Valid SSO Session
Summary
GitLab recently enabled a SSO status check for Git activity which can be enabled/disabled in the Group SAML Settings:
Enforce SSO-only authentication for Git and Dependency Proxy activity for this group
When this setting is enabled, it may have a negative impact on scheduled pipelines. Scheduled pipelines are executed by the user who created the schedule. However if the users SSO session (1 day) expires, their pipeline will fail with the following error:
Cannot find valid SSO session. Please login via your group's SSO
This is presumably because by default, Git Strategy is set to Fetch
or Clone
in the projects CI/CD settings. Therefore every pipeline that is executed will execute Git operations that cause the pipeline to fail if the SSO session is expired.
Steps to reproduce
- Configure Group SAML SSO
- Enable
Enforce SSO-only authentication for Git and Dependency Proxy activity for this group
- Create a scheduled pipeline
- Allow the SSO Session to expire for the user who created the scheduled pipeline
- Review Job Log for scheduled pipeline and note the
Cannot find valid SSO session
error
What is the current bug behavior?
Scheduled pipelines fail when SSO session expires and the following setting is enabled in the SAML SSO settings:
Enforce SSO-only authentication for Git and Dependency Proxy activity for this group
What is the expected correct behavior?
Scheduled pipelines should be able to successfully run regardless of the SAML SSO session when the Enforce SSO-only authentication for Git
settings is enabled.
Alternatively, an option to disable this setting for specific projects and/or scheduled pipelines.
Relevant logs and/or screenshots
Getting source from Git repository 00:00
Fetching changes with git depth set to 50...
Reinitialized existing Git repository in /path/to/project/.git/
remote: Cannot find valid SSO session. Please login via your group's SSO at https://gitlab.com/groups/project/-/saml/sso?token=########
fatal: unable to access 'https://gitlab.com/path/to/project.git/': The requested URL returned error: 403
Output of checks
This bug happens on GitLab.com
Possible Workarounds
- Disable the
Enforce SSO-only authentication for Git and Dependency Proxy activity for this group
setting - Transfer the ownership of the pipeline schedule to a Group owner user: #339888 (comment 684201327)
- If the pipeline does not require Git operations, use a variable to set GIT_STRATEGY: none