Support SAML GroupSync for multiple providers
This is a feature request for SAML Group Sync to support multiple SAML providers. Multiple providers are supported for authentication, but any SAML provider not named saml
is ignored for group sync.
In a test scenario on 15.6.1-ee:
- multiple providers were configured
- each was configured to use group sync
- the providers were named
saml
andsaml1
- each provider had a test user that could successfully login to GitLab using that provider
- a SAML group from each provider was added as a group link to a GitLab group. Each provider's group granted access to a different user.
- each of the two user's SAML responses were confirmed to contain what GitLab expects
- after each user logged in, only the
saml
provider's user was granted the appropriate access.
If I understand the code correctly, this seems to be happening because we only account for the provider named saml
. This may also explain the error in this issue.
Known Limitations
- When multiple providers are configured, and there are conflicts in role level between the two, the access granted by the first logged in provider will be lost when the secondary provider is logged in to. There will not be management of a user signing in in via two providers that send conflicting group details and thus cause a back-and-forth change of permissions.This will be a documented limitation of the implementation.
Related links:
- Similar closed issue, but more specific to an error message: #366257 (closed)
- The above issue was closed as a duplicate of this similar one. It pertains to an error that comes from removing/renaming the provider named
saml
that had group sync enabled: #366450 (closed) - Notes that SAML Group Sync doesn't work with multiple providers: comment 1, comment 2
Customer ticket where this was first found.
Related issues
This will be done in 3 milestones to comply with the sidekiq process
- Phase 1: #418186 (closed) 16.2
- Phase 2: #386605 (closed) 16.3
- Phase 3: 16.4
Availability & Testing
E2E tests should be added for SAML Group Sync with multiple providers
Edited by Aboobacker MK