Add restricted access check for SAML on Gitlab.com
This is part of #572853+.
What does this MR do and why?
This MR adds Block Seat Overages (BSO) aka Restricted Access support to SAML group membership provisioning on GitLab.com. When BSO is enabled and adding a user would consume new seats beyond the subscription limit, the system automatically assigns MINIMAL_ACCESS instead of the configured access level.
The implementation uses the previously introduced SeatAwareProvisioning mixin and applies to both:
-
SystemAccess::BaseSaaSGroupSyncWorker- for SAML group sync operations -
Gitlab::Auth::GroupSaml::MembershipUpdater- for default membership during SAML SSO
When BSO restrictions are applied, the system logs the access level adjustment. The feature is protected by the bso_minimal_access_fallback feature flag which is currently disabled.
References
Screenshots or screen recordings
N/A
How to set up and validate locally
- Enable the feature flag:
Feature.enable(:bso_minimal_access_fallback, group.root_ancestor) - Configure BSO settings:
group.namespace_settings.update!(seat_control: :block_overages) - Set up SAML provider with group links or default membership
- Ensure your test environment simulates no available seats
- Trigger SAML SSO or group sync that would exceed seat limits
- Verify users are added with
MINIMAL_ACCESSinstead of the configured level - Check application logs for BSO adjustment messages
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.