WIP: Per Group SAML login

What

WIP prototype

Will allow top-level groups to configure their own SAML Single Sign On setup.

Why

So Gitlab.com can allow companies to each sign in with their own SSO

Screenshots

SSO Page	Group Membership

Database Checklist

See also https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/4549#database-checklist

• Updated db/schema.rb
• Added a down method so the migration can be reverted
• Added the output of the migration(s) to the MR body
• Added tests for the migration in spec/migrations if necessary (e.g. when migrating data)
• Ordered columns based on the Ordering Table Columns guidelines
• Added foreign keys to any columns pointing to data in other tables
• Added indexes for fields that are used in statements such as WHERE, ORDER BY, GROUP BY, and JOINs

== 20180317020334 AddSamlProviderToIdentities: migrating ======================
-- add_reference(:identities, :saml_provider, {:index=>true, :foreign_key=>{:on_delete=>:cascade}})
   -> 0.0200s
== 20180317020334 AddSamlProviderToIdentities: migrated (0.0201s) =============

Acceptance criteria

• Changelog entry added, if necessary
• Documentation created/updated
• API support added
• Tests added for this feature/bug
• Review
  • Has been reviewed by UX
  • Has been reviewed by Frontend
  • Has been reviewed by Backend
  • Has been reviewed by Database
• Internationalization required/considered
• If paid feature, have we considered GitLab.com plan and how it works for groups and is there a design for promoting it to users who aren't on the correct plan

Related

• Part of &40 (closed)
• Closes https://gitlab.com/gitlab-org/gitlab-ee/issues/4514, https://gitlab.com/gitlab-org/gitlab-ee/issues/5331, https://gitlab.com/gitlab-org/gitlab-ee/issues/4515, and https://gitlab.com/gitlab-org/gitlab-ee/issues/4990

Steps to try current prototype:

• Edit gitlab.yml settings under omniauth. Set enabled: true, set block_auto_created_users: false to allow account creation/sign-in, and under providers add - { name: 'saml' }.
• Edit gitlab.yml for SSL by setting port: 3002 and https: true.
• Run server in https mode. First create a certificate with make localhost.crt from gdk directory. Then make pry to comment out rails-web from the Procfile. Run background services with gdk run app and finally run the server with thin --ssl --port 3002 start --ssl-key-file ../localhost.key --ssl-cert-file ../localhost.crt.
• Ensure that you have an EEP license at https://localhost:3002/admin/license
• Setup a dummy SamlProvider from rails console: Group.last.create_saml_provider!(idp_cert_fingerprint: '5b:e7:...', idp_sso_target_url: 'https://example.server/adfs/ls')
• Configure SAML by navigating to a group's "SAML SSO" settings page

The SAML Tracer Firefox extension is also very useful

/cc @mydigitalself @pedroms

Todos

Required

• Refactoring so it doesn't overlap with existing SAML option
• SAML settings page with tests
• SAML configuration doesn’t cause SAML buttons to appear on main sign-in. Perhaps by creating Gitlab::MultiSaml provider
• SAML flow doesn’t redirect to provider unless logged in already… wait, no, need to be able to sign in. SAML flow won’t create a user but can sign one in or link one
• SamlProvider verifies group is top-level
• Host uses actual host name/port
• Chase up on AWS machine resize for SAML
• SAML controllers/buttons/callbacks disabled/hidden when not configured, no permission, or incorrect EE license level
  • Settings page
  • SSO page
  • Callback URL
  • (N/A) Metadata URL
  • (N/A) Login buttons on group hidden
• Feature restricted based on cookie or group membership for Beta
• SAML returns to /groups/groupname/sso/callback
• Tests for SAML flow, redirect, dynamic callbacks, devise mapping, etc
• Rename database columns to more sensible names
• SAML adds user to group, but only if the correct provider. Shouldn’t get added to wrong group if malicious idP returns user to wrong callback URL.
• Ensure GroupSaml can’t use generic “/users/auth/saml/callback” callback path
• Saml settings link shouldn’t be visible for subgroups
• Consider impact of LDAP group links and possible make them mutually exclusive
• Check this can't be used to POST redirect dangerously. Gitlab API? External pages? Checked: needs restrictions

Expected

• SAML failures displayed in flash notification
• Bug: On create/update the sidebar doesn’t currently show as active

Polish

• Issue created for Metadata autoconfig, or added to description of epic. Would set sso_url and fingerprint.
• Metadata endpoint per SamlProvider for use by identity provider. Would provide our NameID format, Issuer and callback URL
• Add enabled setting to DB
• /groups/group-name/sso type URL to redirect to /users/auth/saml POST endpoint, so that users can navigate manually to URL.
• SAML flow redirects to group page by default.
• Test SSO button should display success flash, or failure messages
• Sign on flow shouldn’t take user to untrusted site without warning. Do we need to verify authenticity token on POST /auth/saml?

Unsorted

• Decide rules for who has permission to log in. Group might be hidden, so no read permission, but still need to be able to access SSO URL in case you are signed out.
• Somehow store in DB which group we’ve logged in with. Do we need to make ‘idp_sso_target_url’ unique so we can look up based on that? Can we pass variable through idp… although not trust it alone so combine with idp_sso_target_url to find correct SamlProvider when multiple use that server.
• Ensure new user isn't created when logging in with different group. To start with ensure that new user never created.
• Do we need to encrypt the URL in RelayState for any reason?
• Setup middleware either set to ‘true’ or uses custom omniauth provider instead of being set from devise initializer.
• Ability to disconnect identity from user, e.g. If I no longer trust the ADFS server and don’t want to allow access to my account that way
• Split GlobalSamlUser from PerGroupSamlUser, moving required groups to GlobalSaml
• Consider wrapping SamlUser’s auth hash in new object with methods for name/email/etc. It could then be made to downcase/gsub E-Mail to email and First Name to firstname to provide more flexibility with naming conventions.
• Add to epic: Single Log Out support, group sync support
• Add to epic: Customize SSO button text, but consider phishing

changed the description

added 1 commit

• b99365b5 - Added SamlProvider#enabled?, set unspecified for name_identifier_format

Compare with previous version

added 1 commit

• 1780a82d - SamlProvider form

Compare with previous version

added 3 commits

• e7c240d3 - SAML test button
• b5d897b2 - Dynamic callback path for SAML providers
• d15de5df - SAML RelayState used for redirect URL

Compare with previous version

added 3 commits

• ec154c03 - Singular 'saml' resource instead of 'saml_providers'
• 87dfced2 - Renamed SamlProvider columns to remove ipd_ prefix
• 9aadc6ff - SamlProvider validates certificate fingerprint and SSO URL

Compare with previous version

added 8 commits

• 8ffe3f14 - SamlProvider requires top level group
• 98aaae11 - fixup! SAML test button
• 29c382c6 - fixup! SamlProvider form
• c94cdf61 - Refactored SAML test button and floated right
• 1d11f844 - License and policy checks for SamlProvidersController
• 89cadb26 - Saml settings page shows login URL instead of NameID format
• 2d4eacce - fixup! License and policy checks for SamlProvidersController
• a64124c4 - Login page for Per Group SAML at group/saml/sso

Compare with previous version

mentioned in issue #4514 (closed)

@jamedjo What about adding a foreign key to Identity as provider_id. If it's null then it's a global identity (LDAP, SAML, OmniAuth) but if it's populated then it relates to the group SAML providers.

mentioned in merge request !4241 (closed)

added 2 commits

• 50cd1428 - Refactor OmniauthCallbacksController to remove duplication
• 8337a5b9 - Group SAML Settings Frontend content update

Compare with previous version

added 1 commit

• 50b0b18f - Group SAML Settings Frontend content update

Compare with previous version

changed the description

@jamedjo how are we with this?

mentioned in merge request !4549 (merged)

added 7 commits

• ee9c0674 - fixup! Group SAML Settings Frontend content update
• 0ebba7f8 - Per Group SAML hidden behind cookie for beta
• 806661d5 - Continued refactoring OmniauthCallbacksController
• 7945161e - Fixes from cherry-pick
• 8efa44c9 - Per Group SAML uses own IdentityLinker/User objects
• 2cec605f - Updated specs for Groups::OmniauthCallbacksController
• 4c4b7956 - WIP

Compare with previous version

@pedro I've split the settings page out into https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/4549, and the controller refactoring into https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/16694. Those should be able to merge this release and I'll get back to working on this for the next release.

I'd like to verify we won't break things before merging the actual authentication code, including adding tests and checking security.

Of the tasks in the list above the main tasks are:

• Create group_saml provider so it can be configured independently and doesn't cause SAML buttons on main sign-in.
• Move middleware setup to GroupSaml custom provider.
• SAML link sets which provider/group has been used on the Identity
• Add users to group on group SAML sign in
• Show SAML status indicator in user list
• Gitlab::GroupSaml::User prevents sign up and potentially requires users to be already signed in to link
• Saml Callback checks feature is configured and licensed for that group

mentioned in issue #4990 (closed)

added 7 commits

• 61d867c7 - WIP
• d2babe7f - fixup! Settings page for Per Group SAML
• 65dabd54 - fixup! Settings page for Per Group SAML
• 65ff19bf - fixup! Settings page for Per Group SAML
• 02e667b8 - fixup! Settings page for Per Group SAML
• ec7e3300 - fixup! Settings page for Per Group SAML
• 350f5023 - fixup! Settings page for Per Group SAML

Compare with previous version

added 22 commits

• 969e2e66 - SamlProvider form
• 3c3706c8 - SAML test button
• ed676ccb - Dynamic callback path for SAML providers
• 01a999f6 - SAML RelayState used for redirect URL
• 84a51365 - Singular 'saml' resource instead of 'saml_providers'
• 11be97c5 - Renamed SamlProvider columns to remove ipd_ prefix
• e8cefed7 - SamlProvider validates certificate fingerprint and SSO URL
• 198f5bb3 - SamlProvider requires top level group
• 4acc955b - Refactored SAML test button and floated right
• ce39445f - License and policy checks for SamlProvidersController
• 64882856 - Saml settings page shows login URL instead of NameID format
• 598de1d1 - Login page for Per Group SAML at group/saml/sso
• 18bceb6b - Refactor OmniauthCallbacksController to remove duplication
• 9b0f0b00 - Group SAML Settings Frontend content update
• 50443f11 - Per Group SAML hidden behind cookie for beta
• fe673066 - Continued refactoring OmniauthCallbacksController
• f90dedff - Fixes from cherry-pick
• 8c46ca37 - Per Group SAML uses own IdentityLinker/User objects
• 54d04b0a - Updated specs for Groups::OmniauthCallbacksController
• de6979f5 - Review changes for SAML Settings page
• 92284e58 - WIP
• 5da01322 - WIP

Compare with previous version

changed target branch from master to merge-jej/saml-sso-per-group

I've changed the merge target on this to a new branch with the settings page changes. Hopefully this will reduce the diff from around 57 changes to around 35

added 1 commit

• 8489cf00 - WIP

Compare with previous version

added 3 commits

• 258c6e25 - PerGroupSaml configured independently of other providers
• 3bbe0c16 - fixup! Settings page for Per Group SAML
• 695b71f9 - fixup! PerGroupSaml configured independently of other providers

Compare with previous version

added 2 commits

• 6aa55778 - fixup! PerGroupSaml configured independently of other providers
• e2d6e369 - fixup! Settings page for Per Group SAML

Compare with previous version

added 4 commits

• 50d6710f - Review changes for SAML Settings page
• c0da71e0 - WIP
• ccb7b5b9 - WIP
• 7e2980c3 - PerGroupSaml configured independently of other providers

Compare with previous version

added 18 commits

• 868991dc - 1 commit from branch merge-jej/saml-sso-per-group
• e83e1ab7 - WIP: Per Group SAML login
• 9f4350e2 - Added SamlProvider#enabled?, set unspecified for name_identifier_format
• 39554c03 - SAML test button
• 646f063a - Dynamic callback path for SAML providers
• 98de6837 - SAML RelayState used for redirect URL
• a0db61b1 - Singular 'saml' resource instead of 'saml_providers'
• e313a861 - WIP: test comments for SamlProvidersController
• a968caa0 - Login page for Per Group SAML at group/saml/sso
• ca00105d - Refactor OmniauthCallbacksController to remove duplication
• 699c3c86 - Group SAML Settings Frontend content update
• 5c5ac677 - Continued refactoring OmniauthCallbacksController
• ecf0cf0a - Fixes from cherry-pick
• aebecff6 - Per Group SAML uses own IdentityLinker/User objects
• 88026bb4 - Updated specs for Groups::OmniauthCallbacksController
• bb90f270 - WIP
• 60ada60d - WIP
• d7e95044 - PerGroupSaml configured independently of other providers

Compare with previous version

added 18 commits

• 4d76f55d - Settings page for Per Group SAML
• f5c4b291 - fixup! Settings page for Per Group SAML
• 10818423 - WIP: Per Group SAML login
• 7eb5b917 - Added SamlProvider#enabled?, set unspecified for name_identifier_format
• 7436d9c9 - SAML test button
• 47394368 - Dynamic callback path for SAML providers
• 4a7d3e7b - SAML RelayState used for redirect URL
• db2781c3 - WIP: test comments for SamlProvidersController
• 02c67c26 - Login page for Per Group SAML at group/saml/sso
• 905626e5 - Refactor OmniauthCallbacksController to remove duplication
• 5a944327 - Group SAML Settings Frontend content update
• 0c43c1fa - Continued refactoring OmniauthCallbacksController
• 75127e25 - Fixes from cherry-pick
• 8c17894e - Per Group SAML uses own IdentityLinker/User objects
• 931eb672 - Updated specs for Groups::OmniauthCallbacksController
• 0d0331ba - WIP
• d0db1924 - WIP
• bee1a946 - PerGroupSaml configured independently of other providers

Compare with previous version

added 17 commits

• 12fe7544 - 1 commit from branch merge-jej/saml-sso-per-group
• 1ef02151 - WIP: Per Group SAML login
• 5e5a5091 - Added SamlProvider#enabled?, set unspecified for name_identifier_format
• bf06a2c6 - SAML test button
• fb579445 - Dynamic callback path for SAML providers
• 64b27ee2 - SAML RelayState used for redirect URL
• 60ca07bd - WIP: test comments for SamlProvidersController
• a07303fe - Login page for Per Group SAML at group/saml/sso
• 4136a9be - Refactor OmniauthCallbacksController to remove duplication
• 994a6181 - Group SAML Settings Frontend content update
• ab4463d5 - Continued refactoring OmniauthCallbacksController
• 1233a33a - Fixes from cherry-pick
• ae897b14 - Per Group SAML uses own IdentityLinker/User objects
• 26e20851 - Updated specs for Groups::OmniauthCallbacksController
• a3e20c22 - WIP
• 993ce863 - WIP
• 9ced7dd4 - PerGroupSaml configured independently of other providers

Compare with previous version

added 3 commits

• 7bdfbcf5 - SamlProvider linked to identity in DB
• 8e5e867e - Group SAML adds users to group
• da850247 - Display badge for SAML members

Compare with previous version

changed the description

@dbalexandre This is ready for a high level review pass but I'll be cleanup up a lot of the TODO comments while refactoring. Additionally some of the changes related to omniauth_callbacks_controller.rb and non-saml IdentityLinker classes have moved to https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/16694/diffs and so can be ignored here. I'll rebase once that is merged, and have done something similar with https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/4549 for the settings page.

assigned to @dbalexandre

added 17 commits

• 19292a7f - fixup! SamlProvider linked to identity in DB
• 4a09a33c - fixup! SamlProvider linked to identity in DB
• c6d135ae - GroupSaml omniauth strategy avoids sign in button
• 5b91e022 - Checks for GroupSaml moved to Config class
• 1362cdca - Adds OmniauthInitializer so behaviour can be tested and refactored
• c6600e1b - Fix use of :group_saml provider
• 4b8a015f - SAML user errors display in UI instead of raising error
• 37312be6 - Moved GroupSaml strategy and to /lib with defaults
• fdbed6c8 - GroupSaml configured as standard omniauth provider
• aa2f67e7 - Frontend / UX review fixes
• 1b3dfad5 - Renamed per_group_saml to group_saml and updated config
• 6cb66fe8 - Bulk renamed per_group_saml to group_saml
• 28af2005 - update test stubs
• 1a1fedde - GroupSaml Settings Frontend review: columns & words
• d98742e7 - Static analysis fixes
• da61612a - Bulk rename of per_group_saml in SSO MR
• 9e766513 - style fixes

Compare with previous version

What about:

if @group && @group.identitiy_exists?(:saml, user)

?

changed this line in version 25 of the diff

@jamedjo nice work The code is looking good! I left few notes.

assigned to @jamedjo

@dbalexandre Cheers! I'll try and get back to this on Tuesday or Wednesday

added 1 commit

• f93ae7d5 - split SamlProvidersHelper#saml_link

Compare with previous version

changed the description

changed target branch from merge-jej/saml-sso-per-group to master

added 8330 commits

• f93ae7d5...2b3661a1 - 8327 commits from branch master
• 4921ce61 - WIP: Per Group SAML login
• e67d7cf8 - WIP: TODO comments
• 04c4d247 - WIP: Comments and other stuffs

Compare with previous version

added 4 commits

• 48eca92e - WIP: Omnituath controller refactoring fixes
• 9ce3072d - WIP: Saml fixes
• 2ca27450 - WIP: Renamed GroupSaml
• 405c21c7 - Moved IdentityLinker to Auth folder

Compare with previous version

added 1 commit

• 2eae7510 - WIP: Spec fix & rubocop

Compare with previous version

added 2 commits

• 08a16fcd - WIP: Per Group SAML login
• 4c794365 - Changed IdentityLinker interface

Compare with previous version

added 3 commits

• 34344e75 - Refactor OmniauthCallbacksController to remove duplication
• 1da6aa93 - Show error on failed OAuth account link
• 78b1c407 - WIP: Per Group SAML login

Compare with previous version

added 12 commits

• 4648062e - SamlProvider has many linked Identities
• fb485c58 - WIP: Group SAML SSO Page
• 0590e70c - WIP: Group SAML Omniauth Provider
• 8d360cab - Group SAML Omniauth Callback flow
• 09dd0ac0 - Group SAML links user Identity
• aae4cced - Group SAML adds user to Group
• a1d0b109 - Group SAML status badges on members page
• 16f5c0ac - Group SAML test button
• 5ed37868 - WIP: GroupSaml::User allows signup
• ec7ad90f - Exclude Group SAML from Omniauth sign in buttons
• b2f11913 - WIP: Exclude Group SAML from OmniauthCallbackController base methods
• 788b86fa - WIP: TODOs and unimplemented tests

Compare with previous version

changed target branch from master to merge-jej/saml-sso-per-group

changed milestone to %10.8

added 1731 commits

• 788b86fa...a2235739 - 1718 commits from branch merge-jej/saml-sso-per-group
• 3d2fce9d - SamlProvider has many linked Identities
• a817d3a4 - WIP: Group SAML SSO Page
• e02710b8 - WIP: Group SAML Omniauth Provider
• 3496e1c5 - Group SAML Omniauth Callback flow
• b6c774c9 - Group SAML links user Identity
• 85d4856a - Group SAML adds user to Group
• 253a2360 - Group SAML status badges on members page
• e5b75a71 - Group SAML test button
• 977c7e06 - WIP: GroupSaml::User allows signup
• 947b2d31 - Exclude Group SAML from Omniauth sign in buttons
• 7457fc86 - WIP: Exclude Group SAML from OmniauthCallbackController base methods
• c2fc57ec - WIP: TODOs and unimplemented tests
• 613f244a - Group SAML strips LRM chars from ADFS cert fingerprint

Compare with previous version

added 12 commits

• 2fe29f4a - WIP: Group SAML SSO Page
• 9b3a626b - WIP: Group SAML Omniauth Provider
• 84bcfecc - Group SAML Omniauth Callback flow
• e24b218a - Group SAML links user Identity
• a0868d64 - Group SAML adds user to Group
• 0d543c78 - Group SAML status badges on members page
• 3b89861d - Group SAML test button
• 7a589176 - WIP: GroupSaml::User allows signup
• aad478b7 - Exclude Group SAML from Omniauth sign in buttons
• 6a69d941 - WIP: Exclude Group SAML from OmniauthCallbackController base methods
• fd3c2297 - WIP: TODOs and unimplemented tests
• dc2eeddc - Group SAML strips LRM chars from ADFS cert fingerprint

Compare with previous version

added 11 commits

• 2c281dc5 - WIP: Group SAML Omniauth Provider
• f1b94427 - Group SAML Omniauth Callback flow
• d80512c4 - Group SAML links user Identity
• 59a89dba - Group SAML adds user to Group
• c6c8524f - Group SAML status badges on members page
• 1e61bbdd - Group SAML test button
• 390fe003 - WIP: GroupSaml::User allows signup
• b1d509ee - Exclude Group SAML from Omniauth sign in buttons
• e56c4761 - WIP: Exclude Group SAML from OmniauthCallbackController base methods
• cdcadb33 - WIP: TODOs and unimplemented tests
• 1b4ac2b9 - Group SAML strips LRM chars from ADFS cert fingerprint

Compare with previous version

added 277 commits

• 0541f237 - Add Inherit quick action
• d691df02 - Changed command name to copy_metadata and added MR support
• 427bfae2 - Fixed typos and improved reference checking
• da15007f - Fixed inconsistent descriptions and refactored reference checking
• 4f10cad9 - Add Inherit quick action
• a0adf877 - Changed command name to copy_metadata and added MR support
• 26087ae9 - Fixed typos and improved reference checking
• 593e3ffc - Fixed inconsistent descriptions and refactored reference checking
• 74ead692 - Rebase branch 'add-inherit-command'
• 748a2f2b - Added fuzzy file finder to web IDE
• d32eaee2 - correctly show the dropdown with `t` keypress
• ba4dde7c - small performance improvement by caching the computed prop
• a3566506 - added keymap to editor to open file finder
• b867b33e - moved CSS into SCSS file
• b0d84c1e - added ChangedFileIcon component to rows
• 71b80a11 - added specs
• e51fde9a - removed output that wasn't meant to be there
• cacc8f40 - fixes the sort to correctly order the array
• 066aa5b3 - fixed eslint
• a35391c9 - added specs to store
• 4a22a97e - added specs to stores allBlobs getter
• 7c9b2b04 - order files by lastOpenedAt date even after filtering
• 0281fbc1 - fixed item spec
• ea3a0d3e - remove v-html & use vdom instead
• 8a076c1b - fixed eslint & karma specs
• 392c411b - Introduce new ProjectCiCdSetting
• d9262b79 - created constants file
• 70bd90ba - fix mouseOver & arrow keys working at same time
• f8b1f38b - disable hover styles correctly in file finder dropdown
• 27be9666 - fixed dropdown not being scrollable
• 48fb30f7 - fixed up scrolling to items in finder dropdown
• 64be67f3 - Merge branch 'master' into ide-file-finder
• 5bf287ac - fixed scss lint
• f1719de3 - Merge branch 'master' into ide-file-finder
• aadde87f - moved keycodes constants to common lib file
• 79b49816 - Merge branch 'master' into ide-file-finder
• 12aab8ff - Prettify vue shared component & improve tests to match guidelines
• a96745d4 - Runs prettier on some vue shared components
• a5a7cabb - Port of fl-prettify to EE
• 98989900 - Updates documentation for clipboard button
• a8fb4865 - Updates tests
• a20566e2 - Fix broken spec
• 78aebc49 - Merge branch 'master' into matbaj/gitlab-ce-add-inherit-command
• 5cfbf2c8 - Added missing note for P1 priority
• a02eac25 - Fixed links and heading section
• 04b872e1 - Application Servers should have nginx running on them.
• 5051ca97 - Ignore ordering in IssueDueSchedulerWorker spec
• 342f33be - Update VERSION to 10.8.0-pre
• a580d399 - Merge branch 'master' into ee-fl-prettify
• 4e2b96d6 - Updates test to check svg for commit icon is being rendered
• 0903456a - Expose deploy token to CI/CD jobs as environment variable
• a6fb079e - Add changelog and docs
• f17e8365 - Enhances documentation on gitlab-deploy-tokens
• 0dd6d25c - Rename special deploy token to make it more descriptive
• 800ee75a - Ensure deploy tokens variables are not available in the context of only/except
• cdac54e2 - Refactor deploy token methods on Ci::Build
• e40bc1b1 - Create autodevops settings sections
• 4745361c - Ensure an autodevops instance exists for pipelines settings
• ea7127de - Changed anchor not to have the js prefix, add i18n
• e75f82b0 - Fix small typo
• 68031a6e - Expose deploy token to CI/CD jobs as environment variable
• e2782569 - Add changelog and docs
• 5d9cc6c1 - Enhances documentation on gitlab-deploy-tokens
• 82add03f - Rename special deploy token to make it more descriptive
• a04512cd - Ensure deploy tokens variables are not available in the context of only/except
• 365dd5a6 - Refactor deploy token methods on Ci::Build
• f8142542 - Fix missing Markdown link in background verification docs
• a2071f2b - Fix missing namespace for some internal users
• f10c999b - Refactor OmniauthCallbacksController to remove duplication
• f8d54913 - Show error on failed OAuth account link
• 92acc463 - Add missing changelog type to docs
• 720bdfc4 - fix revoke header on deploy token docs
• bc30eb37 - add babel-plugin-rewire to karma build
• 8166a11c - update babel config
• 8a713b37 - add spyOnDependency method
• 5e4d02ba - fix tests in comment_type_toggle_spec.js
• 00fc61cf - fix tests in droplab/hook_spec.js
• 1f1af49a - fix tests in filtered_search_manager_spec.js
• 704e8661 - fix more instances of "import *" with spyOnDependency
• 4d828eae - convert remaining instances of import * to use spyOnDependency
• 0b932a7f - add default exports to prevent rewire plugin from breaking vuex
• 8fa0aeb8 - fix illegal references to "this" in module context
• 6180102f - only apply rewire plugin when running karma tests
• c15584f2 - disable sourcemaps when generating coverage report to avoid out-of-memory errors
• 44783480 - document the spyOnDependency method
• 091cab95 - fix CI BABEL_ENV variable
• 807b7a16 - Flowdock uses Gitaly, not Grit
• c62557b0 - Update repository storages documentation URL
• 57161677 - Fix project creation for user endpoint bug
• a0116677 - Emit `onValueClick` event on component when container is clicked
• bdc84d4f - Merge branch 'master' into ide-file-finder
• c87c55bb - Add 2FA filter to users API for admins only
• 04716cb0 - Add changelog for 2fa filter in users api
• 3954d45f - Add 2FA filter to users API for admins only
• 2f57341b - Emit `toggleCollapse`, `onDropdownClose` on component
• ae2e2951 - Merge branch…
• 508ad87e - Merge branch 'zj-flowdock-gitaly-compat' into 'master'
• 9b3085b4 - Merge branch…
• f81b1a24 - Merge branch 'dz-add-2fa-filter-admin-api' into 'master'
• 16eb5607 - Merge branch 'ee-dz-add-2fa-filter-admin-api' into 'master'
• c8129d79 - Merge branch 'blackst0ne-add-missing-changelog-type-to-docs' into 'master'
• eb1cb7be - Merge branch '45576-fix-create-project-for-user-endpoint' into 'master'
• 6199b45b - Move spec helpers/matchers/shared examples/contexts to their relevant folder
• ea43a548 - Introduce spec/fast_spec_helper.rb to run spec files that don't rely on the whole Rails env
• c9ec78da - Document the new 'spec/fast_spec_helper.rb' file
• d839f684 - [EE] Move Settings to its own file, isolate it from Rails and introduce Gitlab.root
• 44a222ad - Use axios request to interact with API instead of UJS
• 023d4f6f - Move spec helpers/matchers/shared examples/contexts to their relevant folder
• d2aee809 - Introduce spec/fast_spec_helper.rb to run spec files that don't rely on the whole Rails env
• fe919f95 - Document the new 'spec/fast_spec_helper.rb' file
• c286c66f - Move Settings to its own file, isolate it from Rails and introduce Gitlab.root
• d7547eea - Merge branch 'ce-5514-fix-epic-collapsed-sidebar-label-click' into 'master'
• a527c9b9 - Fix disabled state while making a request
• 192df7d9 - Merge branch 'master' into fl-prettify-2
• b7dc48a4 - Merge branch 'master' into ee-fl-prettify
• 8a1af9f0 - Fix minor typos
• 1edd5c73 - Merge branch '43466-make-auto-devops-settings-first-class' into 'master'
• c921e686 - Moved committer and spec. Added some extra code to run hooks or not depending on the options
• ce9fca8d - Merge branch 'fj-45594-vendoring-committer-with-hooks' into 'master'
• 2667fb0c - Merge branch 'jr-fix-project-import-api-typo-docs' into 'master'
• 5b44097c - Address latest feedback
• c1b11b00 - Address latest feedback
• 6673934d - Fix eslint
• 8bd0bb72 - Use axios request to interact with API instead of UJS
• b76f1d14 - Fix disabled state while making a request
• e458e99c - Fix eslint
• d7642137 - Fix eslint
• 14981d51 - Merge branch 'fl-prettify' into 'master'
• d7f68bcf - Merge branch 'fl-prettify-2' into 'master'
• 1c7008fb - Merge branch 'ee-fl-prettify' into 'master'
• 98d5506a - Merge remote-tracking branch 'upstream/master' into ce-to-ee-2018-04-23
• d3a8a074 - Unify Saml::IdentityLinker and OAuth::IdentityLinker
• 627eba55 - Merge branch '33697-remove-ujs-action-big-graph' into 'master'
• 987324f6 - Merge branch 'ee-33697-remove-ujs-action-big-graph' into 'master'
• cf11a9e7 - Resolve conflicts for app/assets/javascripts/vue_shared/components/ci_icon.vue
• c8112f99 - Fix conflict in app/finders/users_finder.rb
• c78e2ff9 - Get rid of config/initializers/2_app.rb and define Gitlab in lib/gitlab.rb
• 2afe3a12 - Get rid of config/initializers/2_app.rb and define Gitlab in lib/gitlab.rb
• 82d66ac9 - Increases specs examples regarding projects & deploy tokens
• 36811152 - Increases specs examples regarding projects & deploy tokens
• 97b83b2a - Merge branch 'patch-19' into 'master'
• 38b35076 - Merge branch 'missing-note-on-p1' into 'master'
• f2135520 - Merge branch 'ce-to-ee-2018-04-23' into 'master'
• a69977e7 - Replace define_method with alias_method in Omniauth Controllers
• 24cd7a5c - Auth::User classes refactor adds should_save?
• 1f062ee0 - Merge branch '44713-fast-spec-helper' into 'master'
• 048d388f - Merge branch 'ee-44713-fast-spec-helper' into 'master'
• effda09e - Suggest place for data-directories on mountpoints
• e3ff928c - Describe workaround when restore fails because of `Errno::EBUSY`
• 795cd7f9 - Replace define_method with alias_method in Omniauth Controllers
• dd09a19a - Auth::User classes refactor adds should_save?
• 60f0764e - Merge remote-tracking branch 'upstream/master' into ce-to-ee-2018-04-23
• 3d12ce95 - Merge branch '45635-repository-storages-documentation-url-moved' into 'master'
• 471457d4 - EE: Make sure we're not creating duplicated namespace
• ab286656 - Resolve "Namespace factory is problematic"
• a264524a - Merge branch '42936-improve-ns-factory-avoid-duplicates-ee' into 'master'
• 2e00c1a7 - Merge branch '42936-improve-ns-factory-avoid-duplicates' into 'master'
• ee274f89 - Update links to /ci/lint with ones to project ci/lint
• a103cbbe - Update doorkeeper for:
• f45545ed - Fix conflict for app/assets/javascripts/pipelines/components/graph/graph_component.vue
• 578689de - Fix conflict for app/assets/javascripts/pipelines/components/graph/stage_column_component.vue
• 8928d85c - Resolve conflict in lib/gitlab.rb
• 84825b39 - Resolve conflict in lib/settings.rb
• d8e41083 - Resolve conflict in spec/spec_helper.rb
• 491acf3b - Resolve conflict in spec/support/helpers/stub_configuration.rb
• c0eabb84 - Merge branch '45433-upgrade-doorkeeper' into 'master'
• 2b5ac115 - Fix users not seeing labels from private groups when being a member of a child project
• 741f333d - Resolve "Avatar URLs are wrong when using a CDN path and Object Storage"
• cc0b4e3c - Merge branch '44775-avatar-on-os-fails-with-cdn' into 'master'
• aa15cada - Add missing changelog entry
• 81e80ae9 - Merge branch '45666-project-ci-lint-links' into 'master'
• 2e5bc82f - Merge branch 'sh-geo-dr-background-verf-docs' into 'master'
• e9b8fb43 - Merge branch 'update-doorkeeper-changelog' into 'master'
• 8e1f50f9 - Merge branch 'ce-to-ee-2018-04-23' into 'master'
• 6da64cb7 - Update CHANGELOG-EE.md for 10.7.1-ee
• f3e0c08b - Update CHANGELOG.md for 10.7.1
• 3569294e - Merge branch 'master' of gitlab.com:gitlab-org/gitlab-ce
• c4ccd776 - Update CHANGELOG.md for 10.7.1
• 407a8004 - Add Capybara debugging methods to docs
• 54b97f9c - Merge branch 'mk/add-capybara-debugging-methods-to-docs' into 'master'
• fc02fb3a - Merge branch '5735-follow-up-from-resolve-document-background-verification-docs' into 'master'
• 69246ec8 - Bump lograge to 0.10.0 and remove monkey patch
• b0859a52 - [Backport] Burndown chart for group milestone
• c7d8de4b - Merge remote-tracking branch 'upstream/master' into ce-to-ee-2018-04-23
• fd8547b9 - Fix docs typo for ci/lint
• ad0aa828 - Fix CHANGELOG conflicts
• 1b9c1ac3 - Merge branch 'master' into 10244-add-project-ci-cd-settings
• d3db21b4 - Merge branch '45688-ci-lint-url-typo' into 'master'
• 8a726a08 - Merge branch 'issue_45463' into 'master'
• dc62ac84 - Merge branch 'ee-44447-expose-deploy-token-to-ci-cd' into 'master'
• 92cb6d63 - Merge branch '44447-expose-deploy-token-to-ci-cd' into 'master'
• a544f6ec - Merge branch '3064-group-burndown-chart' into 'master'
• 898e3496 - Resolve conflict in app/models/concerns/routable.rb
• 1133b322 - Resolve conflict in spec/factories/namespaces.rb
• 8ad7cb77 - Replace find file project spinach tests with RSpec
• fc070ad0 - Merge branch 'replace-fild-file-tests' into 'master'
• b0f7ab7f - Merge branch 'sh-bump-lograge' into 'master'
• bb8e4268 - Merge branch 'ide-file-finder' into 'master'
• eda46572 - Merge branch 'ce-to-ee-2018-04-23' into 'master'
• d210c6b6 - Merge branch 'bvl-warn-if-move-fails-on-mountpoint' into 'master'
• 8e0fe6a4 - Merge branch 'ee-jej/refactor-omniauth-controller' into 'master'
• 1e624f34 - Merge branch 'jej/refactor-omniauth-controller' into 'master'
• 6d3121be - Improve documentation of SSRF protection
• 26147b73 - Merge branch 'fj-45057-improve-ssrf-documentation' into 'master'
• 687f5788 - Merge branch 'lm-update-ha-app-server-config' into 'master'
• f5524d55 - Merge branch '10244-add-project-ci-cd-settings' into 'master'
• 943fc87d - Fix an N+1 for MRs from forks on the MR index page
• d71193a0 - Show Runner's description on job's page
• d9325335 - Add CHANGELOG entry
• faa7ff3e - Document externally hosted LFS objects
• aeed6b5a - Only show push-to-master authorized users
• b2041d1e - Merge branch 'show-runners-description-on-jobs-page' into 'master'
• 35a49922 - Allow admins to push to empty repos
• db377437 - Make /copy_metadata only handle the first issuable passed
• c7b12a41 - Merge branch…
• 8bb15838 - [EE] Fix unassign slash command preview
• 4b542c17 - Merge branch '4950-unassign-slash-command-preview-fix' into 'master'
• 36dc28fd - Fix unassign slash command preview
• 8b41c406 - Merge branch '4950-unassign-slash-command-preview-fix' into 'master'
• d6a97dab - Merge remote-tracking branch 'upstream/master' into ce-to-ee-2018-04-24
• 6a88ffb4 - Merge branch 'master' into matbaj/gitlab-ce-add-inherit-command
• 1c652f03 - Add copy_metadata quick action
• 746706d1 - Fix conflicts in Auth::User classes, user routes and LDAP callback controller
• de292501 - Fix conflicts on ci/variables readme
• ea8d8412 - Fix conflicts on ci/yaml README
• 1a9f2a33 - Present Burndown charts for group milestones
• 0c1cd35b - add merge request ref to changelog entry
• b80c7551 - EE Port of "Add some way to mock and spy on default ES modules"
• aa78453c - Merge branch 'ee-30998-add-babel-rewire-plugin' into 'master'
• 52dfdcf7 - Broken link fix
• b173e564 - Merge branch '30998-add-babel-rewire-plugin' into 'master'
• 17ffd998 - Merge branch 'jr-40616-external-lfs-docs' into 'master'
• d1a3aef5 - Fix undefined method pending_delete for nil class
• 1378380b - Add CHANGELOG
• 906fc00c - Merge branch 'bvl-fix-maintainer-push-error' into 'master'
• 5ade9350 - Merge branch 'ee-matbaj/gitlab-ce-add-inherit-command' into 'master'
• 878ad484 - Merge branch 'matbaj/gitlab-ce-add-inherit-command' into 'master'
• 1a4b6568 - Merge branch 'ce-to-ee-2018-04-24' into 'master'
• 28046b90 - Merge remote-tracking branch 'upstream/master' into ce-to-ee-2018-04-24
• d0de51e1 - Resolve conflicts in doc/user/project/quick_actions.md
• 9cb21bf9 - Resolve conflicts in quick_actions/interpret_service_spec.rb
• a379eb99 - Resolve conflicts in spec/factories/projects.rb
• 1aa11de1 - Merge branch 'patch-29' into 'master'
• 3ad47965 - Resolve conflicts in spec/models/project_spec.rb
• e73b9812 - Update import on actions file to fix conflict when rewire plugin was added
• bd54136e - Merge branch '5751-geo-undefined-method-pending_delete-for-nil-nilclass' into 'master'
• 87cdd43b - Merge branch '45725-broken-master' into 'master'
• 575302c1 - Do not preload settings
• 742dd303 - Resolve conflicts in `spec/models/project_spec.rb` | take 2
• f2a1bd6c - Move the push_to_empty_repo to the user_access spec
• dd6774f2 - Return false for test envs on Gitlab.dev_or_com? call
• 132f7d33 - Backport dev env check for storage settings deprecation
• 92be3461 - Mock Pager in Karma tests
• ab7b01aa - Merge branch 'winh-mock-pager' into 'master'
• 19d7a18a - Merge branch '45725-broken-master' into 'master'
• 03e16029 - Merge branch 'ce-to-ee-2018-04-24' into 'master'
• 60039b36 - Merge branch '3064-group-burndown-chart' into 'master'
• 772b6b08 - Merge branch 'fix-settings-preloading' into 'master'
• 3a1ffbf6 - Replace the `admin/license.feature` spinach test with an rspec analog
• 77bea357 - Merge branch 'blackst0ne-replace-spinach-admin-license.feature' into 'master'
• 67b18509 - Merge branch 'osw-avoid-noisy-warnings-on-test-env' into 'master'
• e6f6f8e7 - Merge branch 'osw-backport-dev-env-check-for-storage-settings-deprecation' into 'master'
• 0b1c796f - Merge remote-tracking branch 'upstream/master' into ce-to-ee-2018-04-25
• 51125bfb - Merge branch 'ce-to-ee-2018-04-25' into 'master'
• 9ae8d7eb - SamlProvider has many linked Identities
• f32ebe51 - WIP: Group SAML SSO Page
• 7bdc7a37 - WIP: Group SAML Omniauth Provider
• 0d333e04 - Group SAML Omniauth Callback flow
• 4d4e18b8 - Group SAML links user Identity
• 4bb21175 - Group SAML adds user to Group
• 6980de2b - Group SAML status badges on members page
• 5db83543 - Group SAML test button
• 19446b33 - WIP: GroupSaml::User allows signup
• c201b25d - Exclude Group SAML from Omniauth sign in buttons
• c67020e9 - WIP: Exclude Group SAML from OmniauthCallbackController base methods
• 3fd7b148 - WIP: TODOs and unimplemented tests
• c0e5c05f - Group SAML strips LRM chars from ADFS cert fingerprint

Compare with previous version

added 11 commits

• 39f51b33 - WIP: Group SAML Omniauth Provider
• 777a48c9 - Group SAML Omniauth Callback flow
• 587cf8f4 - Group SAML links user Identity
• 72d38c86 - Group SAML adds user to Group
• 9a4d3a39 - Group SAML status badges on members page
• f8be47c0 - Group SAML test button
• ab51973e - WIP: GroupSaml::User allows signup
• c74054d1 - Exclude Group SAML from Omniauth sign in buttons
• 339ade76 - WIP: Exclude Group SAML from OmniauthCallbackController base methods
• 755f2595 - WIP: TODOs and unimplemented tests
• 516887bd - Group SAML strips LRM chars from ADFS cert fingerprint

Compare with previous version

added 11 commits

• a2c00486 - WIP: Group SAML Omniauth Provider
• f42e116b - Group SAML Omniauth Callback flow
• aec7c61b - Group SAML links user Identity
• 5b844a04 - Group SAML adds user to Group
• 52364ef6 - Group SAML status badges on members page
• 1ed39ad0 - Group SAML test button
• aabbf7a9 - WIP: GroupSaml::User allows signup
• cda1cce6 - Exclude Group SAML from Omniauth sign in buttons
• bde33014 - WIP: Exclude Group SAML from OmniauthCallbackController base methods
• e22deec8 - WIP: TODOs and unimplemented tests
• ef0fa636 - Group SAML strips LRM chars from ADFS cert fingerprint

Compare with previous version

added 20 commits

• e27f573c - WIP: Group SAML Omniauth Provider
• 2a920003 - fixup! WIP: Group SAML Omniauth Provider
• 1ab8720f - fixup! WIP: Group SAML Omniauth Provider
• c80c313f - fixup! WIP: Group SAML Omniauth Provider
• f668fd44 - fixup! WIP: Group SAML Omniauth Provider
• 37e0a55b - Change callback path for Devise compatability
• 160619c0 - Pass GroupSaml errors to config view
• 818e3143 - Group SAML Omniauth Callback flow
• 5e0cf734 - Group SAML links user Identity
• d599f18b - Group SAML adds user to Group
• 07b2db6b - Group SAML status badges on members page
• 7b2ce388 - Group SAML test button
• b19b9b69 - WIP: GroupSaml::User allows signup
• 164e0743 - Exclude Group SAML from Omniauth sign in buttons
• 1d3cf212 - WIP: Exclude Group SAML from OmniauthCallbackController base methods
• 6282fba7 - WIP: TODOs and unimplemented tests
• 476ae3ca - Group SAML strips LRM chars from ADFS cert fingerprint
• f921fc76 - fixup! WIP: Group SAML Omniauth Provider
• f7ccc354 - Handle Group SAML failures in correct controller
• 3af3eb8f - SamlProvider feature spec checks SSO flow

Compare with previous version

added 14 commits

• 214170bc - WIP: Group SAML Omniauth Provider
• bf6a9315 - Group SAML Omniauth Callback flow
• b9f29b61 - Group SAML links user Identity
• 77c71f26 - Group SAML adds user to Group
• ce1d7543 - Group SAML status badges on members page
• 97db4681 - Group SAML test button
• 31257a83 - WIP: GroupSaml::User allows signup
• 859bd8fc - Exclude Group SAML from Omniauth sign in buttons
• f9afe764 - WIP: Exclude Group SAML from OmniauthCallbackController base methods
• 87b8a014 - WIP: TODOs and unimplemented tests
• a1148f6e - Group SAML strips LRM chars from ADFS cert fingerprint
• 63998b40 - Pass GroupSaml errors to config view
• c7cb4b05 - Handle Group SAML failures in correct controller
• af0ad9c3 - SamlProvider feature spec checks SSO flow

Compare with previous version

changed target branch from merge-jej/saml-sso-per-group to master

added 11 commits

• edd27354 - WIP: Group SAML Omniauth Provider
• ca44127e - Group SAML Omniauth Callback flow
• fad4c758 - Group SAML links user Identity
• 6557ce69 - Group SAML adds user to Group
• e0418a6d - Group SAML status badges on members page
• 972f1542 - Group SAML test button
• 878d3609 - WIP: GroupSaml::User allows signup
• 7b27156c - WIP: TODOs and unimplemented tests
• aa7ef741 - Pass GroupSaml errors to config view
• 43e3ace3 - Handle Group SAML failures in correct controller
• ef7c5e1d - SamlProvider feature spec checks SSO flow

Compare with previous version

mentioned in merge request !5507 (merged)

mentioned in merge request !5508 (merged)

mentioned in merge request !5509 (merged)

mentioned in epic &40 (closed)

mentioned in merge request !5575 (merged)

added 709 commits

• ef7c5e1d...4ae8b397 - 703 commits from branch master
• 8078f149 - Group SAML status badges on members page
• 4cace882 - Group SAML test button
• 731e2190 - WIP: GroupSaml::User allows signup
• a24df41e - WIP: TODOs and unimplemented tests
• 1abc1709 - Pass GroupSaml errors to config view
• d38f2a58 - Handle Group SAML failures in correct controller

Compare with previous version

I've rebased this on master after the majority of this feature merged via split MRs. This MR is left with the SAML test button, error handling, status badges and sign-up/sign-in flows.

mentioned in merge request !5817 (merged)

mentioned in issue #6260 (closed)

changed milestone to %11.5

This prototype MR can be closed as it has mostly been implemented elsewhere. From the todos above a few things remaining stand out:

• Actually using SAML for SSO to sign users into GitLab.com (https://gitlab.com/gitlab-org/gitlab-ee/issues/6261 / https://gitlab.com/gitlab-org/gitlab-ee/issues/6207)
• A sensible user registration flow (https://gitlab.com/gitlab-org/gitlab-ee/issues/5292)
• Ability to disconnect untrusted providers (https://gitlab.com/gitlab-org/gitlab-ee/issues/5016)
• Providing metadata XML (https://gitlab.com/gitlab-org/gitlab-ee/issues/6090)
• Supporting metadata auto-configuration (Not a priority)

closed

added Enterprise Edition label

mentioned in merge request !30653 (merged)