Step-up auth: Consider namespace setting inherited from parent group
-
Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you receive complimentary access to GitLab Duo.
What does this MR do and why?
Step-up auth: Consider namespace setting inherited from parent group
This MR enhances the step-up authentication feature by implementing inheritance from parent groups. When a parent group enables step-up authentication, all child groups automatically inherit this security requirement and cannot override it. This ensures consistent authentication policies across organizational hierarchies.
Key improvements:
- Child groups inherit step-up authentication settings from their parent groups
-
Subgroup's internal
step_up_auth_required_oauth_providerattribute is preserved - the original value is never modified when a parent group enforces its setting, ensuring that when the parent removes its requirement, the subgroup's original configuration is automatically restored - UI clearly indicates when settings are inherited with parent group name
- Validation prevents child groups from changing inherited settings while parent has a setting
- Optimized database queries using
traversal_idsfor efficient hierarchy traversal - Comprehensive test coverage for all inheritance scenarios
This implementation addresses the need for centralized authentication control in enterprise environments where security policies must be enforced consistently across all subgroups.
Feature Flag: omniauth_step_up_auth_for_namespace (disabled by
default)
Changelog: other
References
- Issue: #556943 - Step-up auth for namespace: Consider namespace setting inherited from parent group
- Related MR: !164329 (merged) - Initial step-up authentication implementation
- Documentation: Step-up authentication for namespace
Screenshots or screen recordings
Please find the screencast showcasing the following aspects of this MR improvements:
- Left side shows the parent group and the right side shows the subgroup
- When the parent group has not enabled any step-up authentication, then the subgroup is able to freely define step-up auth for itself
- When the parent group enables step-up auth, the step-up auth setting of the subgroup is immediately overridden and the step-up auth setting of the parent group is shown, i.e. step-up auth setting is disabled for the subgroup
- In case the parent group disables the step-up auth after having it enabled then the original step-up auth setting of the subgroup becomes active again
Screen_Recording_2025-09-03_at_11.29.30
| Before | After |
|---|---|
| Subgroups could set their own step-up auth independently | When inherited from parent, clear messaging shows the source and disables controls 
|
How to set up and validate locally
-
Enable the feature flag and configure OpenID Connect provider:
Please follow the setup instructions from the previous MR: Part 1: Prepare your local GitLab GDK instance
This includes:
- Enabling the
:omniauth_step_up_auth_for_namespacefeature flag - Configuring the OpenID Connect provider with step-up authentication settings
- Enabling the
-
Create a group hierarchy:
- Navigate to
/groups/newand create a parent group - Create a subgroup within the parent group
- Create a child group within the subgroup (3 levels deep)
- Navigate to
-
Test inheritance behavior:
- Navigate to parent group Settings > General > Permissions and group features
- Set "Step-up authentication" to "OpenID Connect"
- Save changes
- Open another browser tab with the subgroup settings
- Verify the step-up auth field shows inheritance message with parent group name
- Verify the field is disabled and shows the inherited value
- Try to save with a different value and confirm validation prevents the change
-
Test inheritance removal:
- Return to parent group settings
- Set "Step-up authentication" to "Disabled"
- Navigate to subgroup settings
- Verify the field is now editable again
- Check that the original field is still set to "OpenID Connect"
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
MR Checklist (@gerardo-navarro)
-
Changelog entry added, if necessary -
Documentation created/updated via this MR -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Tested in all supported browsers -
Conforms to the code review guidelines -
Conforms to the style guides -
Conforms to the javascript style guides -
Conforms to the database guides -
Conforms to the merge request performance guidelines
Related to #556943