Fix SSO enforcement for public projects
What does this MR do and why?
Describe in detail what your merge request does and why.
Related to Transparent SSO enforcement for group members o... (#215155 - closed) and Update permissions for SSO enforcement for publ... (#378928 - closed)
Fixes SSO enforcement for public projects. Previously when SSO enforcement was enabled for a public project access was broken - both members and non-members could access the project, issues, MRs but things were broken such as the ability to comment on issues.
This fix causes two different behavior changes:
- When SSO is explicitly enforced, all members will be required to have an active SSO session to access the public projects.
- When SSO is enabled, but not enforced, and when the
:transparent_sso_enforcementfeature flag is enabled, all members with a SAML SSO identity will be required to have an active SSO session. Members without an identity, and non-members, will be able to access the project without SSO.
The desired behavior matrix is now covered by tests, and works as expected.
Current:
| Visibility | SSO Enforced Setting | Member | Non-member |
|---|---|---|---|
| Private | Off | Not enforced | No access |
| Private | Enforced | Enforced | No access |
| Public | Off | Not enforced | Not enforced |
| Public | Enforced | Enforced (but broken) | Enforced (but broken) |
Desired behavior (w/ Transparent SSO enabled)
| Visibility | SSO Enforced Setting | Member w/ Identity | Member w/o Identity | Non-member/Anonymous user (Not signed in) |
|---|---|---|---|---|
| Private | Off | Enforced | Not enforced | No access |
| Private | Enforced | Enforced | Enforced | No access |
| Public | Off | Enforced | Not enforced | Not enforced |
| Public | Enforced | Enforced | Enforced | Not enforced |
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
This is very difficult for reviewers to test locally because it takes quite a bit to configure Group SAML in GDK. The screen recordings below aim to illustrate the before and after behavior to help reviewers understand and to see that it works even though they may not set it up locally.
The screen recordings were done while transparent SSO feature flag was enabled.
Before
After
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.