Prevent access to Group SAML metadata/SLO endpoints (!5765) · Merge requests · GitLab.org / GitLab

James Edwards-Jones requested to merge jej/group-saml-metadata-disabled into master May 18, 2018

Why

The metadata endpoint allows an anonymous user to determine that the group exists, requiring some work for us to securely support.

The single log out endpoints are untested and shouldn't be enabled on GitLab.com without a more thorough review. They might also reveal group existence. Given that the instance wide SLO endpoints don't work they are also to provide any user benefit.

Does this MR meet the acceptance criteria?

~~Changelog entry added, if necessary~~ This feature is behind both a cookie and configuration flag to mark it as beta.
Documentation created/updated
Tests added for this feature/bug
Conform by the code review guidelines
- Has been reviewed by a Backend maintainer
End-to-end tests pass (package-qa manual pipeline job)

What are the relevant issue numbers?

Closes https://gitlab.com/gitlab-org/gitlab-ee/issues/5900

Edited May 22, 2018 by Nick Thomas

Prevent access to Group SAML metadata/SLO endpoints

Why

Does this MR meet the acceptance criteria?

What are the relevant issue numbers?

Merge request reports