Git activity SSO enforcement restriction breaks pull mirrors

Summary

This issue is meant to open a discussion on the relationship between SSO enforcement for Git activity and the configuration of pull mirroring on a GitLab project.

Currently, when a user sets up a pull mirror on a GitLab.com project and Enforce SSO-only authentication for Git and Dependency Proxy activity for this group is enabled for the group, mirroring will work as long as the user has an active SSO session.

From the documentation it's not clear if this is an expected behavior or a bug (if mirroring should be exempted from SSO checks for the configuring user). If it's expected behavior however this would result in a docs update.

Steps to reproduce

1. Configure a GitLab.com group with SAML SSO enforcement and enable Enforce SSO-only authentication for Git and Dependency Proxy activity for this group.
2. Configure a pull mirror for a project inside the group.
3. End the SSO session of the user used to configure the mirror, either by logging out of GitLab.com or the Identity Provider (IDP).
4. After the mirror update interval passes (30 minutes) the mirror fails with a Invalid SSO token error.

What is the current bug behavior?

Mirroring is broken after the SSO session ends.

What is the expected correct behavior?

To be determined.

Either this is the expected behavior and should be documented in the mirroring docs or an exemption should be made for pull mirroring while SSO is enforced.

Output of checks

This bug happens on GitLab.com.

Workaround:

Currently, using a Project Access Token, a Group Access Token or a Service Account Token and the Projects API to create a mirror bypasses the need for an SSO session to keep the mirror in a functional state. This makes sense as these don't represent users that "log into" GitLab, however, no details can be found about this in the docs either.