Instance level SAML MR Approval
What does this MR do and why?
Enables instance level set SAML provider for re-authenticated MR approvals feature. Self managed installs can use their instance wide SAML setup when users re-authenticate to approve MRs. This feature will still need to be enabled on a group by group basis, by enabling the appropriate MR merge request setting ("require re-authentication to approve")
- Refs: #431415 (closed)
Note this is behind feature flag: ff_require_saml_auth_to_approve
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| Before | After |
|---|---|
How to set up and validate locally
# Add SAML config to config/gitlab.yml
omniauth:
providers:
- { name: 'saml',
label: 'Our SAML Provider',
groups_attribute: 'Groups',
external_groups: ['Contractors', 'Freelancers'],
args: {
assertion_consumer_service_url: 'https://gdk.test:3444/users/auth/saml/callback',
idp_cert_fingerprint: '119b9e027959cdb7c662cfd075d9e2ef384e445f',
idp_sso_target_url: 'https://gdk.test:8443/simplesaml/saml2/idp/SSOService.php',
issuer: 'https://gdk.test:3444',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
idp_sso_service_url_runtime_params: { redirect_to: 'RelayState' }
} }
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Follow up items can be posted as comments on Follow up on instance level SAML SSO auth for M... (#435404 - closed) • Sam Figueroa • 16.9 @nrosandich will create separate issues from them later.
Edited by Sam Figueroa