SAML SSO configuration and sign-in for Organizations

Problem

Enterprise customers rely on SAML SSO to authenticate users with their Identity Provider. Without SAML SSO support at the Organization level, enterprise adoption of Organizations will be limited.

Requirements

Admin Requirements

• As an admin, I can view and configure my SAML SSO configuration with an identity provider at the Organization level
• As an admin, I can view users in the users list provisioned in my organization from SAML

User Requirements

• As a user, I can sign-in with my SAML Provider to my Organization
• As a user, when I visit /-/<org-path>, I am redirected to my IdP
• As a user, I can be Just-in-Time (JIT) provisioned when logging in for the first time

Compatibility Requirements

• Support the future migration ability for Top-Level Group SAML configuration (GitLab.com)
• Support the future migration ability for Instance SAML configuration (Self-Managed/Dedicated)

Security Requirements

• SAML authentication flow tested by Security team for attack vectors
• Proper isolation between Organizations verified

Acceptance Criteria

• SAML SSO configuration UI available at Organization level
• SAML sign-in flow functional
• JIT provisioning works for new users
• IdP redirect from org-path works correctly
• Migration path documented for existing TLG SAML configs
• Security review completed