Force GitLab.com SAML users to reauthenticate after timeout

Description

This issue is related to the ongoing SSO work for GitLab.com 🚀

In order to verify that a user is still present on their organization's identity provider, we need to require the user to reauthorize every so often when they attempt to access the affiliated group. If the user fails their LDAP handshake and isn't on the IdP, we can prevent access to potentially sensitive information (in the case that an employee was let go/contract expired and that member was removed from an organization at the IdP, for example).

Proposal

• If a user has not reauthorized with their identity provider for 24 hours, route the user to the identity provider URL.
  • This reauthorization request should trigger if the user attempts to access any resource nested in the group.

QA edge cases

• Web access: System notes for confidential issues should not be visible when cross-mentioning/linking issues
• Web access: Some pages might use different controller and be visible despite the user’s access having expired
• Email notifications: if the group or project are not private and issues/merge requests are visible to everyone, the user should still receive notifications

Links / references