Trigger Microsoft Group Sync on sign-in
What does this MR do and why?
Resolves #414875 (closed)
When a SAML response includes a Microsoft Azure overage claim, GitLab will enqueue a worker to sync group memberships from Azure. An overage claim will be present whenever a user has more than 150 groups.
Microsoft should never send both a groups attribute, and a group overage claim, but I wrote this defensively because we would never want both the Microsoft Group Sync worker and the Group SAML Group Sync worker to both be triggered. They would have different group details so one worker may add the membership while the other removes it.
However, we also still want to ensure we're enqueuing the Group SAML Group Sync worker if the SAML response (auth hash) contains NEITHER groups or a group claim, otherwise it's a security issue. All of this works, and should be well tested here.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| Before | After |
|---|---|
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
Unfortunately at the moment this is quite difficult to test. As a final MR for this epic I will include documentation for end-users, which can also be used for our team to do local testing. For now, trust the specs
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.