SSO enforcement: Respect Admin Mode & always apply to private resources
What does this MR do and why?
Closes #404564 (closed)
When Enforce SSO-only authentication for web activity for this group is enabled, this MR:
- Prevents GitLab Admins from bypassing the SSO enforcement till they "enter admin mode" if Admin Mode is enabled.
- Applies SSO enforcement for non-members or not signed-in users when accessing private groups. See issue #404564 (closed)
- Fixes SSO enforcement table https://docs.gitlab.com/ee/user/group/saml_sso/#sso-enforcement
Since !102104 (merged) and !114111 (merged) SSO enforcement is not applied when non-members or not signed-in users access public groups or projects. While reviewing those MRs, we noticed an inconsistency between accessing private groups and private projects, see this thread !114111 (comment 1333808828).
As per the current state of the SSO enforcement table
| Project/Group visibility | Enforce SSO setting | Member with identity | Member without identity | Non-member or not signed in |
|---|---|---|---|---|
| Private | Off | Enforced | Not enforced | No access |
| Private | On | Enforced | Enforced | No access |
SSO enforcement shouldn't be applied to non-members or not signed in users for private resources. As per the thread !116570 (comment 1339685424), it is not the behavior we want. SSO enforcement should always be applied when a non-member or not signed in user visits a private resource so that they will be redirected to the SSO page of the group instead of /users/sign_in or not found pages.
"No access" - Default behavior: Not found page or redirect to /users/sign_in; SSO enforcement is not applied.
"Enforced" - Redirects to the SSO page of the group. SSO enforcement is applied.
Currently, when
- non-members access
- private group, they see not found page
- private project, they are redirected to the SSO page of the group
- not signed-in users access
- private group, they are redirected to
/users/sign_inpage - private project, they are redirected to the SSO page of the group
- private group, they are redirected to
The behavior should be consistent for groups and projects.
As per the SSO enforcement table documentation updates in this MR, we could say that "SSO enforcement" should always be applied to group members or private resources. This MR aligns and refactors the implementation to reflect this. It aligns policy definition related to SSO enforcement in ee/app/policies/ee/group_policy.rb, ee/app/policies/ee/project_policy.rb, and SSO enforcement table in the docs to ease future refactorings like #378400.
Related to MRs: !102104 (merged), !114111 (merged)
Related to issues #378928 (closed), #386920 (closed)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.