Get ArkoseLabs risk score for new SAML users
⚠ This MR depends on !102317 (closed)
Implements https://gitlab.com/gitlab-org/modelops/anti-abuse/pipeline-validation-service/-/issues/160
What does this MR do and why?
This MR builds on top of !102317 (closed) to redirect newly created users (after signing in with SAML for the first time) to a page where they are shown the ArkoseLabs challenge to solve.
Why?
The identity verification methods required for new users depend on their ArkoseLabs risk band. That is:
-
High
risk band - credit card, phone number, and email verification is required -
Medium
risk band - phone number, and email verification is required -
Low
risk band - email verification is required
An ArkoseLabs risk band is assigned to a user after they have successfully solved the ArkoseLabs challenge.
Screenshots or screen recordings
https://www.loom.com/share/a3e267faa7b14b3ba332ae906bcccb07
How to set up and validate locally
Set up
-
Set up GDK for testing SAML SSO for GitLab.com groups
- https://gitlab.com/gitlab-org/gitlab-development-kit/blob/8a491f7bcdc568f61ba8244bd96bc597dbe7df15/doc/howto/saml.md
- https://docs.gitlab.com/ee/user/group/saml_sso/
What your gitlab.yml should look like
production: &base omniauth: # Allow login via Twitter, Google, etc. using OmniAuth providers enabled: true development: <<: *base omniauth: allow_single_sign_on: true auto_link_saml_user: true providers: - { name: 'group_saml' }
-
Toggle relevant feature flags:
$ rails console > Feature.enable(:identity_verification) > ApplicationSetting.first.update({ arkose_labs_public_api_key: '****', arkose_labs_private_api_key: '****', arkose_labs_namespace: 'client' }) > Feature.disable(:identity_verification_phone_number) # To make testing simpler, we turn off phone num verification > Feature.disable(:identity_verification_credit_card) # To make testing simpler, we turn off credit card verification
Notes:
- Credentials are available in GitLab 1Password Engineering Vault
-
Force ArkoseLabs to always require the user to solve the challenge. Update
ee/app/assets/javascripts/arkose_labs/components/identity_verification_arkose_app.vue
arkoseObject.setConfig({ + data: { id: 'ML_defence' }, // ADD THIS LINE mode: 'inline', selector: `.${this.arkoseContainerClass}`, onShown: this.onArkoseLabsIframeShown, onCompleted: this.passArkoseLabsChallenge, });
Validate
- Get the URL for your group that was configured with SAML SSO
- In another browser window (not logged in to your local GDK instance), visit the group's URL. You should be redirected to a page that looks like:
- Click
Sign in
and get redirected to the identity provider sign-in page: - Sign in with
username: user1
andpassword: user1pass
(or any of the test users that does not have a corresponding user record in your local GDK instance yet). - Validate that after signing in you are redirected to the page where the ArkoseLabs challenge is shown:
- Solve the challenge
- Validate that you are redirected to the identity verification page showing email verification step:
User
record from Rails console with the following command: User.last.destroy
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.