Display alert when SAML certificate is expired

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Work on this issue
• Close this issue

Original Issue

Summary

Making confidential initially as we're not sure if this may have security ramifications.

Based on a Slack thread: https://gitlab.slack.com/archives/CLM1D8QR0/p1696989092986559

Currently, expired SAML certificates still allow authentication. A customer has recently engaged Support regarding their expired SAML cert that is still working.

ruby-saml checks expiry of SAML certs if the security options check_idp_cert_expiration or check_sp_cert_expiration are true. https://github.com/SAML-Toolkits/ruby-saml/blob/148a4c2de713a98c58c28bbc7785c05698216a4d/README.md?plain=1#L727-L728

These options are false by default: https://github.com/SAML-Toolkits/ruby-saml/blob/148a4c2de713a98c58c28bbc7785c05698216a4d/lib/onelogin/ruby-saml/settings.rb#L277

GitLab may need to allow users to configure these options to provide to omniauth-saml and by extension, ruby-saml.

Steps to reproduce

1. Set up SAML SSO for GitLab.com groups as per our docs
2. Wait for the certificate to expire

What is the current bug behavior?

Authentication still works despite the expired certificate

What is the expected correct behavior?

Authentication should not work until a new certificate is issued and the certificate fingerprint is changed

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of: \\\\\\\`sudo gitlab-rake gitlab:env:info\\\\\\\`) (For installations from source run and paste the output of: \\\\\\\`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production\\\\\\\`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of: \\\`sudo gitlab-rake gitlab:check SANITIZE=true\\\`) (For installations from source run and paste the output of: \\\`sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true\\\`) (we will only investigate if the tests are passing)

Possible fixes

Bug Revision

Summary

A customer has recently engaged Support to explain why their SAML authentication continues to work with an expired idP SAML certificate. After discussions, we agreed that the this is the norm.

This intentional design choice prevents mass user authentication failure due to certificate expiration, allowing administrators time to replace the certificate with minimal disruption.

What Gitlab as a service provider can do in this case, is to prompt a modal, to notify the admin about their impending idP SAML certificate expiry.

Steps to reproduce

1. Set up SAML SSO for GitLab.com groups as per our docs
2. Wait for the certificate to expire (nothing happens)

What is the current bug behaviour?

No alert modal to notify the admin about their impending idP SAML certificate expiry.

What is the expected correct behaviour?

Alert modal to notify the admin about their impending idP SAML certificate expiry.

Possible fixes

A frontend alert with text context:

The SAML IdP certificate for [IdP_Name] is set to expire on [Expiration_Date]. Please take action to renew the certificate to avoid authentication issues

Summary

A customer has recently engaged Support to explain why their SAML authentication continues to work with an expired idP SAML certificate. After discussions, we agreed that the this is the norm.

This intentional design choice prevents mass user authentication failure due to certificate expiration, allowing administrators time to replace the certificate with minimal disruption.

What Gitlab as a service provider can do in this case, is to show a modal, to notify the admin about their impending idP SAML certificate expiry.

Possible Implementation

A frontend alert with text context:

The SAML IdP certificate for [IdP_Name] is set to expire on [Expiration_Date]. Please take action to renew the certificate to avoid authentication issues

Steps to reproduce

1. Set up SAML SSO for GitLab.com groups as per our docs
2. Wait for the certificate to expire before notification
3. See modal