Skip to content

Don't enforce SSO for public groups

Jarka Košanová requested to merge 386920-sso-enforcement into master

What does this MR do and why?

What was happening before this fix

When a SAML is enforced for a root group (Enforce SSO-only authentication for web activity for this group), a non-loged user or a user who is not a member of the group:

  • could access public projects within the group, no SAML enforcement
  • could not access public groups of the group, SAML enforced

This MR unifies the behavior: Use who is not a member of the group or a not logged in user are able to access both public subgroups and projects without the SAML enforcement.

How to set up and validate locally

  1. Set-up SAML for the instance
  2. Enable SAML enforcement for a public group
  3. Create at least one public and one private subgroup for the group and and least one public project
  4. Try to access the groups and project with the following users:
  • not-logged in user: should be able to access the public subgroup and public project, no SAML enforcement
  • user who is not a member of the group: should be able to access the public subgroup and public project, no SAML enforcement
  • developer or maintainer: SAML should be enforced
  • owner of the root group: SAML should be enforced for all objects except for the root group

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #386920 (closed)

Edited by Jarka Košanová

Merge request reports

Loading