[Feature flag] Enable Transparent SSO Enforcement
Summary
This issue is to rollout the feature on production,
that is currently behind the transparent_sso_enforcement
feature flag.
Previously, SAML SSO for GitLab.com was only enforced if the enforcement setting was explicitly enabled. With this change, SSO will now be enforced for all users that have a SAML identity. This increases security for organizations that want their employees to use SSO but still want public or non-SSO users to access their groups/projects. Explicit SSO enforcement via the setting is still useful for cases where the organization wants to only allow SSO users to access their groups/projects.
Owners
- Team: ~"group::authentication and authorization"
- Most appropriate slack channel to reach out to:
#g_manage_auth
- Best individual to reach out to: @dblessing
- PM: @hsutor
Stakeholders
Expectations
What are we expecting to happen?
For the most part, users should not notice a difference. If they do notice it will be that they see they are sent back through SAML SSO once every 24 hours.
When is the feature viable?
Once enabled, if no customers report issues within a few days to weeks then we can be reasonably sure it's stable. The change was fairly simple and just added a small bit of additional logic to the existing SSO enforcer.
What might happen if this goes wrong?
Some groups may have SAML SSO enabled but it is in a broken state of configuration and they're not using it currently. If the group was not using SAML/didn't know it was enabled should follow the steps below to disable SAML. This is expected behavior and should not result in the FF being rolled back.
Enabling transparent SSO for these groups may cause some of their members to be unable to access their groups/projects in that case. These groups should have a top-level group owner go to their top-level group -> Settings -> SAML SSO -> Uncheck 'Enable SAML authentication for this group' and save. Top level group owners can always access the top level group and settings to avoid being locked out by such a situation.
Another potential situation is that a user has a mismatched extern_uid
in GitLab compared to the IdP. If both the extern_uid
and email address match GitLab will gracefully handle the situation and update the extern_uid
automatically.
If the user's email address does not match they may be unable to sign in via SAML. In this case, a group owner can use the API to update a user's extern_uid
to match the IdP. See https://docs.gitlab.com/ee/api/saml
For other problems, support may have to intervene and look at the user object and/or SAML identity via Rails console. Or maybe at this point we identify another edge-case bug and need to disable the FF.
One or a few users shouldn't be required to sign-in via SAML
If the issue is only affecting one or two users and the customer simply needs Support to remove the identity (maybe they have a handful of users that at some point signed in via SAML but no longer need to) then we can manually remove the identity via Rails:
user = User.find_by_username('the_username')
identity = user.identities.find_by_provider('group_saml')
# verify the identity matches what we expect. Could also verify the `saml_provider_id` matches the provider attached to their top-level group
group = Group.find_by_path('top-level-group')
group.saml_provider.id
# the above should match the user's identity saml provider id
# if all looks good
identity.destroy
If the feature is negatively impacting a customer without a clear path to resolution given the above information, Support can override the feature for the group while collaborating with ~"group::authentication and authorization" to find the root cause. See Rollback Steps section
What can we monitor to detect problems with this?
Consider mentioning checks for 5xx errors or other anomalies like an increase in redirects (302 HTTP response status)
What can we check for monitoring production after rollouts?
Consider adding links to check for Sentry errors, Production logs for 5xx, 302s, etc.
Rollout Steps
Rollout on non-production environments
- Ensure that the feature MRs have been deployed to non-production environments.
-
/chatops run auto_deploy status <merge-commit-of-your-feature>
-
-
Enable the feature globally on non-production environments. -
/chatops run feature set <feature-flag-name> true --dev --staging --staging-ref
-
-
Verify that the feature works as expected. Posting the QA result in this issue is preferable. The best environment to validate the feature in is staging-canary as this is the first environment deployed to. Note you will need to make sure you are configured to use canary as outlined here when accessing the staging environment in order to make sure you are testing appropriately.
Specific rollout on production
- Ensure that the feature MRs have been deployed to both production and canary.
-
/chatops run auto_deploy status <merge-commit-of-your-feature>
-
- If you're using project-actor, you must enable the feature on these entries:
-
/chatops run feature set --project=gitlab-org/gitlab,gitlab-org/gitlab-foss,gitlab-com/www-gitlab-com <feature-flag-name> true
-
- If you're using group-actor, you must enable the feature on these entries:
-
/chatops run feature set --group=gitlab-org,gitlab-com <feature-flag-name> true
-
- If you're using user-actor, you must enable the feature on these entries:
-
/chatops run feature set --user=<your-username> <feature-flag-name> true
-
-
Verify that the feature works on the specific entries. Posting the QA result in this issue is preferable.
Preparation before global rollout
-
Check if the feature flag change needs to be accompanied with a change management issue. Cross link the issue here if it does. -
Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. If a different developer will be covering, or an exception is needed, please inform the oncall SRE by using the @sre-oncall
Slack alias. -
Ensure that documentation has been updated (More info). -
Announce on the feature issue an estimated time this will be enabled on GitLab.com. -
Ensure that any breaking changes have been announced following the release post process to ensure GitLab customers are aware. -
Notify #support_gitlab-com
and your team channel (more guidance when this is necessary in the dev docs).
Global rollout on production
For visibility, all /chatops
commands that target production should be executed in the #production
slack channel and cross-posted (with the command results) to the responsible team's slack channel (#g_TEAM_NAME
).
-
Incrementally roll out the feature. - If the feature flag in code has an actor, perform actor-based rollout.
-
/chatops run feature set <feature-flag-name> <rollout-percentage> --actors
-
- If the feature flag in code does NOT have an actor, perform time-based rollout (random rollout).
-
/chatops run feature set <feature-flag-name> <rollout-percentage> --random
-
- Enable the feature globally on production environment.
-
/chatops run feature set <feature-flag-name> true
-
- If the feature flag in code has an actor, perform actor-based rollout.
-
Announce on the feature issue that the feature has been globally enabled. -
Wait for at least one day for the verification term.
(Optional) Release the feature with the feature flag
If you're still unsure whether the feature is deemed stable but want to release it in the current milestone, you can change the default state of the feature flag to be enabled. To do so, follow these steps:
-
Create a merge request with the following changes. Ask for review and merge it. -
Set the default_enabled
attribute in the feature flag definition totrue
. -
Create a changelog entry.
-
-
Ensure that the default-enabling MR has been included in the release package. If the merge request was deployed before the monthly release was tagged, the feature can be officially announced in a release blog post. -
/chatops run release check <merge-request-url> <milestone>
-
-
Consider cleaning up the feature flag from all environments by running these chatops command in #production
channel. Otherwise these settings may override the default enabled.-
/chatops run feature delete <feature-flag-name> --dev --staging --staging-ref --production
-
-
Close the feature issue to indicate the feature will be released in the current milestone. -
Set the next milestone to this rollout issue for scheduling the flag removal. -
(Optional) You can create a separate issue for scheduling the steps below to Release the feature. -
Set the title to "[Feature flag] Cleanup <feature-flag-name>
". -
Execute the /copy_metadata <this-rollout-issue-link>
quick action to copy the labels from this rollout issue. -
Link this rollout issue as a related issue. -
Close this rollout issue.
-
WARNING: This approach has the downside that it makes it difficult for us to clean up the flag. For example, on-premise users could disable the feature on their GitLab instance. But when you remove the flag at some point, they suddenly see the feature as enabled and they can't roll it back to the previous behavior. To avoid this potential breaking change, use this approach only for urgent matters.
Release the feature
After the feature has been deemed stable, the clean up should be done as soon as possible to permanently enable the feature and reduce complexity in the codebase.
You can either create a follow-up issue for Feature Flag Cleanup or use the checklist below in this same issue.
-
Create a merge request to remove <feature-flag-name>
feature flag. Ask for review and merge it.-
Remove all references to the feature flag from the codebase. -
Remove the YAML definitions for the feature from the repository. -
Create a changelog entry.
-
-
Ensure that the cleanup MR has been included in the release package. If the merge request was deployed before the monthly release was tagged, the feature can be officially announced in a release blog post. -
/chatops run release check <merge-request-url> <milestone>
-
-
Close the feature issue to indicate the feature will be released in the current milestone. -
If not already done, clean up the feature flag from all environments by running these chatops command in #production
channel:-
/chatops run feature delete <feature-flag-name> --dev --staging --staging-ref --production
-
-
Close this rollout issue.
Then re-enable the feature for the following groups (relevant as of Nov 29).
["Group:1069519", "Group:12445836", "Group:14302837", "Group:56093708", "Group:5926007", "Group:6543"]
Rollback Steps
Docs on the feature flags: https://docs.gitlab.com/ee/user/group/saml_sso/#selectively-enable-and-disable-transparent-sso-enforcement
There are two feature flags associated with this feature to allow precise control. If a customer has a problem with transparent SSO on GitLab.com, Support can help troubleshoot and override the feature flag as necessary.
transparent_sso_enforcement
: This feature flag should only be enabled or disabled by the Authentication and Authorization group or in the case of a serious and widespread issue affecting many groups or users.
transparent_sso_enforcement_override
: When the transparent_sso_enforcement feature flag is enabled, support or production teams can turn off transparent SSO by enabling this feature flag for a specific customer group. Enabling this feature flag disables transparent SSO enforcement.
Both flags are scoped to top level groups:
- Main feature flag -
transparent_sso_enforcement
. - Override feature flag -
transparent_sso_enforcement_override
Cases:
-
transparent_sso_enforcement
is enabled,transparent_sso_enforcement_override
is disabled- Transparent SSO is enabled
-
transparent_sso_enforcement
is enabled,transparent_sso_enforcement_override
is enabled.- Transparent SSO is disabled
To override the feature for a select group:
/chatops run feature set transparent_sso_enforcement_override true --group=top-level-group