Skip to content
GitLab Next
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 43,139
    • Issues 43,139
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1,356
    • Merge requests 1,356
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar

GitLab 15.0 has launched! Please visit Breaking changes in 15.0 and 15.0 Removals to see which breaking changes may impact your workflow.

  • GitLab.org
  • GitLabGitLab
  • Issues
  • #9152
Closed
Open
Created Jan 11, 2019 by Jeremy Watson (ex-GitLab)@jeremy-glContributor2 of 2 tasks completed2/2 tasks

Group SAML - Check SSO status on Git activity

Problem to solve

While we're enforcing SSO, we should similarly enforce SSO outside of the GitLab UI. For the purposes of security, this gives enterprises a greater degree of control over protected resources. This is especially important for GitLab.com customers given multitenancy.

Proposal

We should perform the same check on Git activity that we do in the UI:

  • When a user attempts a clone, push or pull with for a project in a group that's enforcing SSO:
    • If the represented user does not meet the SSO login threshold, present them with an error. "Cannot find valid SSO session. Please login via your group's SSO at https://gitlab.com/users/sign_in?"
  • Users will need to log in via the UI and then attempt the Git operation again.
  • Enabling Git SSO check should be a configuration option at the group level.
  • Credentials that are not tied to human users should not have an SSO check enforced (Project Access token, deploy keys, etc).
  • SSH and HTTPS Git activity should both be checked.

Note from @jamedjo: "Add check to UserAccess and user_access_denied_reason.rb to be displayed from GitAccess#check_active_user!. UserAccess changes can either be in the policy (:push_code and :read_project) or could be in UserAccess directly."

Issue readiness

  • Product: issue description is accurate with an acceptable proposal for an MVC
  • Engineering: issue is implementable with few remaining questions, is sufficiently broken down, and is able to be estimated
Edited Mar 09, 2021 by Melissa Ushakov
Assignee
Assign to
Time tracking