Add optional SAML Auth requirement for MR approval
What does this MR do and why?
What: Enables groups to require the user to authenticate with SAML before being able to approve a merge request in their projects.
Why: Certain groups need to comply with standards/frameworks which require users to be authenticated before each approval for auditing purposes.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| Before | After (with require_password_to_approve MR setting enabled, with user that has SAML ID linked) |
|---|---|
 |
 |
| Group/Project Settings (before) | Group/Project Settings (after) |
|---|---|
| Project settings before | Project settings after |
 |
 |
| Group settings before | Group settings after |
 |
 |
How to set up and validate locally
- Have GDK on HTTPS & Setup a fake SAML IdP https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/saml.md
- Enable SAML Auth for Twitter group (Group ID:
35) or another group and adapt following steps. - Require SAML Auth for approval in Group MR Approval Settings (in
rails console)group = Group.find_by(id: 35) gs = GroupMergeRequestApprovalSetting.new gs.group = group gs.allow_author_approval = true gs.allow_committer_approval = true gs.require_saml_auth_to_approve = true gs.save - Create a code change and merge request to go with it
- Got to created MR. It should now require SAML auth to approve, indicated by "Approve with SAML" button.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Refs:
- [BE] Add optional SAML auth flow to MergeReques... (#421959 - closed) • Sam Figueroa • 16.7
- [FE] SAML based Merge Request Approval (#421961 - closed) • Sam Figueroa • 16.7
- SAML SSO authentication for merge request approval (&11084)
Parts of this MR review were handled in Backend Pairing today (2023-11-08): Recording here https://youtu.be/_hi3ETbJUnw
Edited by Sam Figueroa