Skip to content

New user flow for SSOing into a GitLab.com group

Description

When a user authenticates into a group with SSO enabled, they must have a pre-existing set of credentials on the GitLab instance. For GitLab.com, for instance, this requires that the user have a GitLab.com account that we can link together with their credentials we receive from their connected SAML 2.0 identity provider.

We should remove this requirement for users who may not already have an account on the relevant GitLab instance. For GitLab.com, this would allow a user authenticating for the first time to create an account as part of the flow.

This flow is also needed when we require dedicated credentials to access a group, since every user will have to register a new account associated with the group on the first time they SSO in.

Proposal

  • When a user is using an SSO URL, we currently present the login/registration screen if the user doesn't have an active session.
  • When a user completes registration from this page, we should:
    • Establish a SAML link between the user and the group, as we currently do for an existing account,
    • Redirect the user back to the resource they were requesting (e.g. if they attempted to access a project and got redirected to the SSO page, redirect them back to the project they wanted after they've registered).

In a future iteration, we should assign them a username so new user registration in the SSO flow becomes 1-click.

Edited by Jeremy Watson (ex-GitLab)