You Can Still Join Private Group Using SAML Authentication after Admin Disabled SAML

HackerOne report #482429 by ngalog on 2019-01-19, assigned to estrike:

Summary:
Group Admin could disable or enable SAML SSO after configuring it.

I found that after proper configuration of SAML SSO, even the owner of the group disabled the SAML like in this screenshot, user could still use SAMLSSO to join as member in this group

Steps To Reproduce:

Login gitlab.com and visit https://gitlab.com/groups/serverless-group/-/saml/sso
Click authorize
Use test@gitlab.com: to login
You are now member of my private group
But my private group https://gitlab.com/serverless-group/ has disabled SAML authentication like in the screenshot -- you can view as admin to double check my claim

Impact

You Can Still Join Private Group Using SAML Authentication after Admin Disabled SAML

Attachments

Warning: Attachments received through HackerOne, please exercise caution! *

Edited Jan 25, 2022 by Nick Malcolm