Don't enforce SSO for public groups
What does this MR do and why?
What was happening before this fix
When a SAML is enforced for a root group (Enforce SSO-only authentication for web activity for this group
), a non-loged user or a user who is not a member of the group:
- could access public projects within the group, no SAML enforcement
- could not access public groups of the group, SAML enforced
This MR unifies the behavior: Use who is not a member of the group or a not logged in user are able to access both public subgroups and projects without the SAML enforcement.
How to set up and validate locally
- Set-up SAML for the instance
- Enable SAML enforcement for a public group
- Create at least one public and one private subgroup for the group and and least one public project
- Try to access the groups and project with the following users:
- not-logged in user: should be able to access the public subgroup and public project, no SAML enforcement
- user who is not a member of the group: should be able to access the public subgroup and public project, no SAML enforcement
- developer or maintainer: SAML should be enforced
- owner of the root group: SAML should be enforced for all objects except for the root group
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #386920 (closed)
Edited by Jarka Košanová