Skip to content

Add optional SAML Auth requirement for MR approval

What does this MR do and why?

What: Enables groups to require the user to authenticate with SAML before being able to approve a merge request in their projects.

Why: Certain groups need to comply with standards/frameworks which require users to be authenticated before each approval for auditing purposes.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After (with require_password_to_approve MR setting enabled, with user that has SAML ID linked)
Screenshot_2023-11-03_at_10.39.16 Screenshot_2023-11-03_at_10.51.42
Group/Project Settings (before) Group/Project Settings (after)
Project settings before Project settings after
Screenshot_2023-11-10_at_14.32.05 Screenshot_2023-11-10_at_14.32.19
Group settings before Group settings after
Screenshot_2023-11-10_at_14.35.00 Screenshot_2023-11-10_at_14.34.00

How to set up and validate locally

  1. Have GDK on HTTPS & Setup a fake SAML IdP https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/saml.md
  2. Enable SAML Auth for Twitter group (Group ID: 35) or another group and adapt following steps.
  3. Require SAML Auth for approval in Group MR Approval Settings (in rails console)
    group = Group.find_by(id: 35)
    gs = GroupMergeRequestApprovalSetting.new
    gs.group = group
    gs.allow_author_approval = true
    gs.allow_committer_approval = true
    gs.require_saml_auth_to_approve = true
    gs.save
  4. Create a code change and merge request to go with it
  5. Got to created MR. It should now require SAML auth to approve, indicated by "Approve with SAML" button.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Refs:

Parts of this MR review were handled in Backend Pairing today (2023-11-08): Recording here https://youtu.be/_hi3ETbJUnw

Edited by Sam Figueroa

Merge request reports

Loading