Add API endpoint to return current SSO session expiry time
What does this MR do and why?
Add API endpoint to return current SSO session expiry time, to be used in !142569 (merged)
Originating issue #419578 (closed)
This change will add an EE-only API endpoint to return the expiry time of the user's current Group SAML SSO sessions. This way the frontend can be more responsive if a tab is left open overnight or over the weekend, and the client no longer has an active SSO session for one or multiple groups.
TODO:
-
Determine how to storesession_expires_atfor group_saml/sso_state , which does not have a hash-based store-
Add a newgroup_saml/sso_expiry_stateclass with its ownGitlab::NamespacedSessionStore? Changing formats forActiveSessionmodel looks prohibitively complex
-
-
Ensure that<saml:AuthnStatement SessionNotOnOrAfter='...'is the intended end-time of the authorized session - looks like AWS uses it, at least -
add API endpoint to return SSO session expiry time stored in session data -
determine if this should be for just one instance / group SAML provider, or for all providers (update: all Group SAML providers; we could also add instance SAML, but we currently do not track expiry of these sessions, and the feature is primarily targeted at SaaS) -
determine response format: JSON? bare ms time-to-expiry interval?
-
-
refactor, ensure all new code is specced
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| Before | After |
|---|---|
 |
How to set up and validate locally
- check out branch
- configure Group SAML for a group and sign in - GDK howto guide
- visit
/-/user_settings/active_sessions/samlto view time remaining data
Related to #419578 (closed)
Edited by Andrew Evans