Group SAML metadata endpoint
What
- Refactors
SamlProvider
so the omniauth settings can be used before idp fields have been saved. - Introduces
Group#discovery_token
to convey that an anonymous user already knows of a group's existence - Re-enables the
/metadata
group SAML endpoint so identity providers can retrieve configuration metadata. Requires the discovery token for this endpoint. - Links to the metadata endpoint from the Group SAML settings page.
Expands upon https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/5765 which disables the /metadata
endpoint.
Why
Some identity providers require metadata XML to set SAML up, and with others there is an expectation it will be provided for ease of use.
Screenshots
Database Checklist
When adding migrations:
-
Updated db/schema.rb
-
Added a down
method so the migration can be reverted -
Added the output of the migration(s) to the MR body
== 20180520211048 AddDiscoveryTokenToNamespaces: migrating ====================
-- add_column(:namespaces, :discovery_token, :string)
-> 0.0093s
== 20180520211048 AddDiscoveryTokenToNamespaces: migrated (0.0096s) ===========
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessaryGroup SAML is aimed at GitLab.com but not yet enabled there, and is additionally hidden behind a beta cookie. -
Documentation created/updated -
Tests added for this feature/bug - Conform by the code review guidelines
-
Has been reviewed by a UX Designer -
Has been reviewed by a Backend maintainer -
Has been reviewed by a Database specialist
-
-
EE specific content should be in the top level /ee
folder -
Internationalization required/considered -
If paid feature, have we considered GitLab.com plan and how it works for groups and is there a design for promoting it to users who aren't on the correct plan -
End-to-end tests pass ( package-qa
manual pipeline job)
What are the relevant issue numbers?
Edited by Kamil Trzciński