Group SSO enforcement allowing subproject when the user is an owner
Problem
SSO session enforcement checks do not take place for owners on projects within that group.
Original problem before diagnosis
A user was unable to link SAML to their account but was still given access to resources restricted to users with SAML.
SAML authentication completed so may have stored that before we hit a problem retrieving the user due to inconsistent capitalization. Technically this might be ok, because SAML authentication was completed and the user was already had SAML access through the group, but it is confusing and can appear to be a more serious flaw.
Related
- https://gitlab.zendesk.com/agent/tickets/133489
- Feature flag enabled this week: https://gitlab.com/gitlab-org/gitlab-ee/issues/11757
Edited by James Edwards-Jones