Update permissions for SSO enforcement for public groups
Related to gitlab-com/gl-infra/production#7891 (closed). We realized that SSO enforcement is broken for public (and internal, although internal projects and groups can't be created anymore on .com) groups. The behavior is that both members and non-members could access groups/projects but couldn't do things like comment/discuss. The discussion appeared locked. This is because the page load itself was successful and didn't redirect to SSO but AJAX requests were failing SSO enforcement checks.
Potential fix is to prevent public access in project policy - POC cede1938
We also need to update documentation to make it clear what the behavior is.
Current behavior as I understand it (without Transparent SSO)
Private
Visibility | SSO Enforced Setting | Member | Non-member |
---|---|---|---|
Private | Off | Not enforced | No access |
Private | Enforced | Enforced | No access |
Internal | Off | Not enforced | Not enforced |
Internal | Enforced | Enforced | Enforced (but broken) |
Public | Off | Not enforced | Not enforced |
Public | Enforced | Enforced (but broken) | Enforced (but broken) |
Desired behavior (w/ Transparent SSO)
Visibility | SSO Enforced Setting | Member w/ Identity | Member w/o Identity | Non-member/Anonymous user (Not signed in) |
---|---|---|---|---|
Private | Off | Enforced | Not enforced | No access |
Private | Enforced | Enforced | Enforced | No access |
Internal | Off | Enforced | Not enforced | Not enforced |
Internal | Enforced | Enforced | Enforced | Not enforced |
Public | Off | Enforced | Not enforced | Not enforced |
Public | Enforced | Enforced | Enforced | Not enforced |
Edited by Drew Blessing