Skip to content

Validate SAML and SCIM identities for SSO requirements

Carla Dragorequested to merge
513686-validate-saml-sso into master

These changes ensure that when the top level namespace requires SSO authentication, candidate assignee users have a linked SAML identity, and an active SCIM identity, before they are assigned to a placeholder user.

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

  • Add the following to gdk.yml to enable SAML
omniauth:
  group_saml:
    enabled: true
  • Then reconfigure and restart GDK
gdk reconfigure
gdk restart
  • Enable SAML for your group by going to Settings -> SAML SSO and filling in the configuration. You can put any domain and SHA to test.
  • Attempt to reassign contributions to a user. You should see an error message saying "You can assign only users with a linked SAML identity. Ensure the user has signed into GitLab through your SAML SSO provider." "You can assign only users with linked SAML and SCIM identities. Ensure the user has signed into GitLab through your SAML SSO provider and has an active SCIM identity for this group."
  • Stub some SAML data for the user:
g =  Group.find_by_path("alpaca")
u = User.find_by_username("knejad-local3")
i = g.saml_provider.identities.new(user: u, provider: "[NAME OF PROVIDER]")
i.save(validate: false)
  • Attempt to reassign to the user again. You should now see a different error "You can assign only users with an active SCIM identity. Ensure the user has an active SCIM identity for this group."

Create an SCIM identity for the user:

s = ScimIdentity.new(user: u, group: g, active: true, extern_uid: 123)
s.save(validate: false)
  • Attempt to reassign again. This time it should succeed without an error message, and change state to "Pending approval"

Related to #513686 (closed)

Edited by Carla Drago

Merge request reports