Skip to content

When a namespace GitLab Subscription expires, disable SSO enforcement

Drew Blessing requested to merge dblessing/gitlab:dblessing_disable_enforced_sso_plan_expires into master

What does this MR do?

Fixes #34287 (closed)

Currently, if a GitLab.com group's subscription expires (changes to Free/No Plan or a tier where Group SAML is not available) and they have SSO enforcement turned on, users will lose access to their group. This change automatically turns off enforced SSO when the SSO feature is no longer available to the group.

To further clarify, this does not explicitly disable SSO enforcement when the group's plan simply expires. That is, if the end_date saved on the gitlab_subscription entry lapses. As best I can tell GitLab currently doesn't actually do anything internally when a subscription expires. The Customer portal has some script that reaches out and explicitly changes the plan to 'Free' (No Plan?).

With that in mind, this fix triggers based on group_saml feature availability. If a plan changes to Bronze or Free where Group SAML feature isn't available, enforced SSO will be bypassed.

Also note that this fix does not disable SSO or remove existing configuration in any way. If a plan is subsequently renewed and the feature becomes available again, SSO will be enforced as previously.

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Drew Blessing

Merge request reports