Force total re-auth on SAML IdP when approving MR in the UI, regardless of existing session

Problem

Currently if user is already authenticated with SAML, then when requesting auth in MR approval with SAML it will automatically redirect without asking user to login again, because it has a valid SAML session already.

Proposal

When approving a merge request in the UI, we need to force a SAML re-authentication, even if a valid one exists. This applies for both instance level SAML and group SAML.

Implementation Ideas

use ForceAuthn SAML request param to force total re-auth on SAML IdP side too

2024-01-15_Export_SAML_ForceAuthn_Research_Notes.pdf

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Edited Jan 24, 2024 by Hannah Sutor