Group SAML authentication for signed out users should continue after instance sign in
Why
For Group level SAML we require users to first log in to the instance. If the users start the authentication flow from the SAML server they can end up being redirected to sign in to the instance. After signing in it isn't clear they still need to re-authenticate with the group's SAML provider.
What
We should ideally remember that the user was successfully authenticated, continue linking their account or updating their details, and redirect to the destination contained in the SAML RelayState
.
The solution will need to take security into account as well as avoiding potential redirect loops.
Related
- Originally mentioned in https://gitlab.com/gitlab-org/gitlab-ee/issues/4514
Edited by James Edwards-Jones