Allow Service Account to be added to SSO-enforced group
What does this MR do and why?
Fixes #417300 (closed)
Allow Service Account to be added to SSO-enforced group
Service Accounts cannot sign-in interactively, and they're meant to be used regardless of SSO enforcement settings. This change allows a Service Account to be added as a member via the API and UI even when SSO is enforced.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
Screen_Recording_2023-09-06_at_3.35.35_PM | Screen_Recording_2023-09-06_at_3.32.05_PM |
Database
Before
SELECT
users.*
FROM
users
JOIN identities ON identities.user_id = users.id
WHERE
users.state IN ( 'blocked', 'banned', 'ldap_blocked' ) AND
identities.saml_provider_id = 112
ORDER BY
users.id DESC;
After
SELECT
users.*
FROM
(
(
SELECT
users.*
FROM
users
JOIN identities ON identities.user_id = users.id
WHERE
users.state IN ( 'blocked', 'banned', 'ldap_blocked' ) AND
identities.saml_provider_id = 112
)
UNION
(
SELECT
users.*
FROM
users
JOIN user_details AS user_detail ON user_detail.user_id = users.id
WHERE
users.state IN ( 'blocked', 'banned', 'ldap_blocked' ) AND
users.user_type = 13 AND
user_detail.provisioned_by_group_id = 1028
)
) AS users
WHERE
users.state IN ( 'blocked', 'banned', 'ldap_blocked' )
ORDER BY
users.id DESC;
Explain
Before
https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/22101/commands/71475
After
https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/22101/commands/71470
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
- Set up a Group with Group SAML following https://docs.gitlab.com/ee/user/group/saml_sso/
- Make sure to select "Enforce SSO-only authentication for web activity for this group" in SAML SSO settings for the group.
- Create a service account for the group - https://docs.gitlab.com/ee/api/groups.html#create-service-account-user
- Add the account as a member of the group through the API:
MY_TOKEN=<paste-valid-token-here> curl --request POST --header "PRIVATE-TOKEN: $MY_TOKEN" \ --header "Content-Type:application/json" \ --data '{ "user_id": "<service-acct-id>", "access_level": 20 }' \ "https://gdk.test:3443/api/v4/groups/<group-id>/members"
- Prior to this MR, observe error:
{"message":{"user":["is not linked to a SAML account"]}}
- After this MR, observe a successful response:
{"access_level":20,"created_at":"2023-07-11T18:58:53.247Z","created_by":{"id":1,"username":"root","name":"Administrator","state":"active"},"expires_at":null,"id":79,"username":"service_account_group_33_087942a596ce3bd9cd21704dc3c2a455","name":"Service account user","state":"active","email":"service_account_group_33_087942a596ce3bd9cd21704dc3c2a455@noreply.gdk.test","membership_state":"active"}
- Ensure the service account user is removed from the group and repeat via the UI. Navigate to the group > Members > Invite members and search for
service
to see service accounts. Prior to this MR, no service accounts would appear when SSO is enforced. After, service accounts are searchable.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.