Support reauthentication with SAML with MRAP policy

Alan (Maciej) Paruszewskirequested to merge
587182-add-require-reauthentication-when-set-in-policy into master

What does this MR do and why?

This MR fixes an issue where SAML reauthentication was not available when require_password_to_approve was set in a merge request approval policy (MRAP).

The Problem: When users configure require_password_to_approve: true in their merge request approval policy, they expect the same behavior as the project-level "Require user re-authentication (password or SAML) to approve" setting. However, the SAML option was not appearing - only password authentication was offered.

Root Cause: The require_saml_auth_to_approve method in MergeRequestPresenter was only checking group/project level settings via ComplianceManagement::MergeRequestApprovalSettings::Resolver, but not checking the policy approval settings.

The presenter was calling:

def mr_approval_setting_password_required?
  ComplianceManagement::MergeRequestApprovalSettings::Resolver.new(
    root_group,
    project: target_project
  ).require_password_to_approve.value
end

But it should also check the policy path, similar to how MergeRequest#require_password_to_approve? does:

def require_password_to_approve?
  target_project&.require_password_to_approve? ||
    policy_approval_settings.fetch(:require_password_to_approve, false)
end

The Fix: Update the presenter to also check policy_approval_settings when determining if SAML reauthentication should be offered.

Changelog: changed EE: true

References

Screenshots or screen recordings

Before After
Screenshot_2026-02-16_at_23.33.15 Screenshot_2026-02-16_at_23.42.20 Screenshot_2026-02-16_at_23.41.56

How to set up and validate locally

  1. Ensure that you have HTTPS enabled for your GDK.
  2. Create a new group (e.g., saml-group) and navigate to Settings > SAML SSO.
  3. For Identity provider single sign-on URL set https://mocksaml.com/api/namespace/saml-group/saml/sso and for Certificate fingerprint set 089d066507626ef0d336ca21bf14e5bdf4c82a85. For default membership set Owner.
  4. Create a new project in that group with a README file, then create a new any_merge_request Merge Request Approval Policy requiring at least one approval from Owner. Ensure to enable require_password_to_approve: true approval setting.
  5. For that project, create a new MR that modifies the README.md file.
  6. In a new incognito window, open the GitLab single sign-on URL link from the group's Settings > SAML SSO page.
  7. Authenticate, then go to the MR and verify that you can reauthenticate with SAML rather than only with a password.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Alan (Maciej) Paruszewski

Merge request reports