Fix subgroup search redirect if SAML auth expired

Terri Churequested to merge
534522-fix-for-subgroup-search-saml-reauth into master

What does this MR do and why?

This MR changes the redirect link used for group search when SAML auth is expired. It should be redirecting to the SSO for the root ancestor (not the group) to ensure that sub-group searches correct allow users to authenticate. I was able to reproduce this issue in production and locally in gdk.

AI Summary

This change fixes an issue with SSO (Single Sign-On) redirects when searching in subgroups. Previously, when a user needed to authenticate via SSO while searching in a subgroup, the system would try to redirect them to the subgroup's SSO provider. The fix modifies the redirect to always use the root ancestor group's SSO provider instead, which is the correct behavior since SSO is configured at the top-level group. A test case was added to verify this functionality specifically for subgroups, ensuring that users are properly redirected to the parent group's SSO sign-in page when needed.

References

Screenshots or screen recordings

After configuring saml for the top level group and sub group search redirected to this SAML auth page

original URL: https://gdk.test:3443/search?search=level&group_id=137&scope=projects

redirect URL: https://gdk.test:3443/groups/saml-auth-redirect-group/-/saml/sso?redirect=%2Fsearch%3Fsearch%3Dsub%2Bgroup%26group_id%3D137%26scope%3Dprojects

before

image

after

image

How to set up and validate locally

  1. setup elasticsearch (advanced search) in gdk
  2. Setup HTTPS in gdk: https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/nginx.md
  3. Setup SAML in gdk: https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/saml.md#saml
    • note DO NOT configure the group yet
  4. Simulate SaaS in gdk: https://docs.gitlab.com/ee/development/ee_features.html#simulate-a-saas-instance
    • I added an env.runit file in the root gdk directory (not gitlab)
    • restart gitlab
  5. Setup a private group, and a subgroup within it
  6. add a project to the subgroup, make sure code is there and is searchable
  7. add a non-admin user to the group as a developer+ role
  8. login with that user
  9. perform a group search in the group and subgroup, make sure you get results
  10. follow guide to add SAML to the group: https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/saml.md#configuring-the-group
  11. re-run the searches, make sure you are redirected to SSO login screen for both group and subgroup searches (this is the fix)

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Terri Chu

Merge request reports