Get ArkoseLabs risk score for new SAML users

⚠ This MR depends on !102317 (closed)

Implements https://gitlab.com/gitlab-org/modelops/anti-abuse/pipeline-validation-service/-/issues/160

What does this MR do and why?

This MR builds on top of !102317 (closed) to redirect newly created users (after signing in with SAML for the first time) to a page where they are shown the ArkoseLabs challenge to solve.

Why?

The identity verification methods required for new users depend on their ArkoseLabs risk band. That is:

1. High risk band - credit card, phone number, and email verification is required
2. Medium risk band - phone number, and email verification is required
3. Low risk band - email verification is required

An ArkoseLabs risk band is assigned to a user after they have successfully solved the ArkoseLabs challenge.

Screenshots or screen recordings

https://www.loom.com/share/a3e267faa7b14b3ba332ae906bcccb07

How to set up and validate locally

Set up

1. Set up GDK for testing SAML SSO for GitLab.com groups

   • https://gitlab.com/gitlab-org/gitlab-development-kit/blob/8a491f7bcdc568f61ba8244bd96bc597dbe7df15/doc/howto/saml.md
   • https://docs.gitlab.com/ee/user/group/saml_sso/
   What your gitlab.yml should look like

   production: &base
     omniauth:
       # Allow login via Twitter, Google, etc. using OmniAuth providers
       enabled: true
   development:
     <<: *base
     omniauth:
       allow_single_sign_on: true
       auto_link_saml_user: true
       providers:
       - { name: 'group_saml' }

2. Toggle relevant feature flags:

   $ rails console
   > Feature.enable(:identity_verification)
   > ApplicationSetting.first.update({ arkose_labs_public_api_key: '****', arkose_labs_private_api_key: '****', arkose_labs_namespace: 'client' })
   > Feature.disable(:identity_verification_phone_number) # To make testing simpler, we turn off phone num verification
   > Feature.disable(:identity_verification_credit_card) # To make testing simpler, we turn off credit card verification

   Notes:

   • Credentials are available in GitLab 1Password Engineering Vault

3. Force ArkoseLabs to always require the user to solve the challenge. Update ee/app/assets/javascripts/arkose_labs/components/identity_verification_arkose_app.vue

   arkoseObject.setConfig({
   + data: { id: 'ML_defence' }, // ADD THIS LINE
     mode: 'inline',
     selector: `.${this.arkoseContainerClass}`,
     onShown: this.onArkoseLabsIframeShown,
     onCompleted: this.passArkoseLabsChallenge,
   });

Validate

1. Get the URL for your group that was configured with SAML SSO
2. In another browser window (not logged in to your local GDK instance), visit the group's URL. You should be redirected to a page that looks like:
   📸

   
3. Click Sign in and get redirected to the identity provider sign-in page:
   📸

   
4. Sign in with username: user1 and password: user1pass (or any of the test users that does not have a corresponding user record in your local GDK instance yet).
5. Validate that after signing in you are redirected to the page where the ArkoseLabs challenge is shown:
   📸

   
6. Solve the challenge
7. Validate that you are redirected to the identity verification page showing email verification step:
   📸

   

💡 If you want to test with the same user again, just delete the User record from Rails console with the following command: User.last.destroy

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.