2FA Unlock breaks Group SSO
Users with SSO and 2FA enabled have reported being unable to sign in after getting locked out of their account.
With password login users are able to click an unlock link emailed to them and sign in again, but our SSO flow doesn't get unblocked by this action.
Steps to reproduce
- Use GitLab.com or configure GitLab instance with
- Create a Group and configure SAML SSO
- Enable SSO Enforcement, although this may not be required
- Enable 2FA for a user
- Attempt to sign in with SSO for that group
- Enter an incorrect 2FA code 10 times to trigger a 10 minute lock on sign ins
- Check email and click the unlock link sent from GitLab
- Navigate back to the SSO sign in page and attempt sign in if presented with a form.
- Instead of being able to sign in
With password sign in unlocking allows password sign in to take place again.
Ideally we'd show instructions for resetting 2FA at some point.
TODO: Screenshots of the flow, or screencap.
Investigate how SSO callback behaviour is different to SessionController when 2FA has been previously locked.
Investigate why users are triggering 2FA lock outs. Are users confused and entering the 2FA for their identity provider instead of for GitLab? Is something else triggering the lock out?