LDAP Duo seat assignment worker not triggered when users have MFA enabled

Summary

The LdapAddOnSeatSyncWorker is not triggered for LDAP users who have Multi-Factor Authentication (MFA) enabled, preventing automatic Duo add-on seat assignment based on LDAP group membership.

Steps to reproduce

  1. Configure GitLab self-managed with LDAP authentication
  2. Configure duo_add_on_groups in LDAP settings (e.g., duo_add_on_groups: ['#gitlab_duo'])
  3. Have an active GitLab Duo Enterprise or Duo Pro add-on purchase
  4. Create a user account with MFA enabled
  5. Add the user to the configured LDAP Duo add-on group
  6. Have the user sign in via LDAP
  7. Complete the MFA challenge
  8. Check if the LdapAddOnSeatSyncWorker was enqueued in Sidekiq logs

What is the current bug behavior?

When a user with MFA enabled signs in via LDAP:

  1. LDAP authentication succeeds
  2. User is redirected to MFA prompt
  3. User completes MFA successfully
  4. User is signed in, but LdapAddOnSeatSyncWorker is never enqueued
  5. Duo seat assignment based on LDAP group membership does not occur

What is the expected correct behavior?

The LdapAddOnSeatSyncWorker should be triggered for all LDAP users regardless of MFA status, ensuring that Duo seat assignment occurs based on LDAP group membership after successful authentication (including MFA completion).

Relevant logs and/or screenshots

Without MFA (working):

With MFA (broken):

Output of checks

This bug affects GitLab self-managed instances with LDAP authentication and Duo add-on seat management configured.

Tested on GitLab 18.2 and GitLab 18.4 with Ultimate License and GitLab Duo Pro.

Possible fixes

The root cause is in app/controllers/omniauth_callbacks_controller.rb in the sign_in_user_flow method:

if @user.two_factor_enabled? && !auth_user.bypass_two_factor?
  prompt_for_two_factor(@user)
  store_idp_two_factor_status(false)
else
  # ... post-sign-in logic including:
  enqueue_after_sign_in_workers(@user, auth_user)
  # ...
end

Problem: enqueue_after_sign_in_workers is only called in the else branch, meaning it's skipped when MFA is required.

Potential solutions:

  1. Move worker enqueuing to post-MFA completion: Ensure LDAP-specific workers are triggered after successful MFA completion
  2. Add worker enqueuing to MFA flow: Call enqueue_after_sign_in_workers after successful MFA verification for LDAP users
  3. Alternative trigger mechanism: Use a different event that fires after complete sign-in (including MFA)

The fix should ensure that EE::Ldap::OmniauthCallbacksController#enqueue_after_sign_in_workers is called for LDAP users regardless of MFA status, after successful authentication is fully complete.

Affected files:

  • app/controllers/omniauth_callbacks_controller.rb (line ~250-260)
  • ee/app/controllers/ee/ldap/omniauth_callbacks_controller.rb
  • Potentially MFA completion controllers that handle post-2FA sign-in
Edited by 🤖 GitLab Bot 🤖