Skip to content

Inconsistent behavior for "resumed" SAML sessions

Summary

Note: I don't think I have the best vocab to describe this behavior. Please feel free to offer clarifications for my description

When a user has an active SAML session in a background/unfocused tab, and they ignore the tab until the session expires (e.g. overnight), GitLab does not behave consistently upon revisiting the tab.

For example, as a customer described on this ticket (GitLab internal), when viewing sub-groups and projects on a group, trying to expand them results in a banner error. Ideally, we should check for an active SAML session and, if there isn't one, redirect the user to login.

Anecdotally, I have noticed this myself on GitLab.com, usually on issues. Further, the customer and I both have accounts that were not provisioned by SCIM, and were manually linked to SSO. This may be a coincidence but I wanted to note it.

Steps to reproduce

  1. Sign in to GitLab.com using SAML
  2. Visit a private resource, like a private group or issue
  3. Wait for your SAML session to expire (it may be possible to manually expire it on-demand, but I'm not sure how to do that)
  4. Try to perform an action on the loaded page, such as expand a group, post a comment, etc.
  5. Observe any errors thrown

Example Project

This should be reproducible on any private resource on GitLab.com.

What is the current bug behavior?

We display a banner error. This is confusing for the user because it appears as though something is wrong with GitLab, and not that their session is expired.

What is the expected correct behavior?

We should redirect the user to their SAML provider to re-authenticate, and then return them to the original page.

Relevant logs and/or screenshots

Please see the ticket for the customer's screenshot. I cannot post it in the issue since it contains sensitive customer data.

I plan to try to reproduce this and post more logs/screenshots as I am able.

Output of checks

This bug happens on GitLab.com

Possible fixes

🤷

Proposed Fix

See this comment. Should we reach out to front end / UX for banner design?

Edited by Hannah Sutor