You need to sign in or sign up before continuing.
Allow users to SSO into a group without an active login/session
Description
In https://gitlab.com/gitlab-org/gitlab-ee/issues/4514, a group-level SSO page was added when SAML is set up. The current implementation, however, requires the user to first be logged into the instance before they're able to access the SSO page (example: https://gitlab.com/groups/gitlab-org/-/sso).
Currently, the user is presented with a "you must sign up or sign in" banner. This was done due to a concern over security: if any user is able to access the page, they're able to verify the existence of a group (potentially revealing something sensitive via the name e.g. super-secret-project
).
Problem
We should allow a logged out user to access the SSO login page for a group without being already logged into the instance.
Proposal
- SSO URLs for groups should include a token.
- Navigating to the SSO link without the token (e.g. https://gitlab.com/groups/gitlab-org/-/sso) should 404 for a logged out user.
- A logged in user should be presented with the SSO login page (as it does now).
- Logged out/in users should be able to access the SSO page with the token.
- On successfully completing the SAML dance, a logged out user should be logged in and presented with the group page after successful authentication.
- If the logged out user does not have an account on the instance, they should be prompted to register first.
Edited by Jeremy Watson (ex-GitLab)