Web IDE: handle SSO redirect during authorization

Cindy Halimrequested to merge
ch-424770 into master

Issue: Web IDE Endpoints do not Redirect to SSO Provid... (#424770 - closed)

What does this MR do and why?

Users signed in with GitLab but not authenticated via group SSO receive a 404 when attempting to access the Web IDE for projects under that group. To solve this case the Web IDE authorization logic is updated to redirect the user to the SSO provider with the help of an existing helper: find_routable!.

References

Web IDE Endpoints do not Redirect to SSO Provid... (#424770 - closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Before After

before Signed in to GitLab, not signed in via SSO

404 when attempting to access the Web IDE for a project under an SSO enforced group.

not_logged_in_sso.mov Signed in to GitLab, not signed in via SSO

Redirected to identity provider sign in page. After successful authentication, redirected back to Web IDE.

logged_in_sso.mov Signed in to GitLab and SSO

Not redirected to identity provider sign in page. Can access the Web IDE.

regression No SSO enabled (regression case)

Web IDE redirect works as expected.

How to set up and validate locally

Setup

The steps below assume that:

  • SSO is configured for the GitLab Org group
  • You are running GDK with HTTPS enabled in port 3443: https://gdk.test:3443/.

Make sure to modify these parameters accordingly in the steps if your local setup is different.

  1. Follow steps outlined in this doc to setup SAML in the GDK. Note: to configure the group: sign in as admin root, visit the Gitlab Org group, and select Settings > SAML SSO

  2. Don't sign in yet

  3. Bypass the verification email via the Rails console:

    user = User.find_by_username 'user_1'
user.confirmed_at = Time.now
user.save

  4. We want to create a password for the user so we can simulate being signed in to GitLab but not authenticated via SSO. In a separate browser/incognito mode, sign in as the user via SSO by visiting: https://gdk.test:3443/groups/gitlab-org/-/saml/sso. Username: user1, password: user1pass.

  5. Once authenticated as user_1, go to User Preferences > Password and set a password.

Validate locally

  1. In your default browser, sign in to GitLab as user_1 by visiting /users/sign_in and entering the GitLab password. Do not log in via SSO. Once authenticated, visit the project belonging to the group via URL: https://gdk.test:3443/gitlab-org/gitlab-shell.
  2. Note that you no longer see a 404 page and are instead redirected to the identity provider sign in page.
  3. Enter the SSO credentials and sign in.
  4. Observe that you are redirected to the Web IDE for the project.
  5. Now that you are authenticated with GitLab and SSO, reload the Web IDE. Observe that you are not redirected to the identity provider's sign in page.
Edited by Cindy Halim

Merge request reports