Allow groups to disable password authentication for enterprise users
What does this MR do and why?
In 2021, we started to implement(!59673 (merged), !60912 (merged)) the feature to disable password authentication for enterprise users. However, existing implementation is not complete and outdated now since enterprise user definition was changed by &9675 (closed). Also that implementation is disabled by block_password_auth_for_saml_users feature flag.
This MR reimplements the feature by adding a top-level group setting to disable password authentication for enterprise users and considering the following requirements
- Add this setting to group SAML Single Sign On Settings since SAML SSO is required to be configured to disable password authentication [#373718 (comment 1591755776), #373718 (comment 1599434669), #373718 (comment 1599631826)]
- This setting should be disabled by default to not cause disruption to existing organizations' workflows. They should decide when and whether they want to use this feature for their organization
- Disabling SAML SSO should enable password authentication for enterprise users if it was disabled because otherwise they won't be able to sign in into their account anymore in that case
- This setting should only apply to the group's enterprise users
- Allow the group's IdP to automatically link SAML to the group's enterprise users [#373718 (comment 2026203706)]
Related to #373718 (closed)
The rest of unused-old-implementation will be deleted by a follow-up MR: !160850 (merged)
DB migration
bin/rails db:migrate RAILS_ENV=test
main: == [advisory_lock_connection] object_id: 131780, pg_backend_pid: 11009
main: == 20240813095256 AddDisablePasswordAuthenticationForEnterpriseUsersToSamlProviders: migrating
main: -- add_column(:saml_providers, :disable_password_authentication_for_enterprise_users, :boolean, {:default=>false})
main: -> 0.0094s
main: == 20240813095256 AddDisablePasswordAuthenticationForEnterpriseUsersToSamlProviders: migrated (0.0350s)
main: == [advisory_lock_connection] object_id: 131780, pg_backend_pid: 11009
ci: == [advisory_lock_connection] object_id: 132020, pg_backend_pid: 11011
ci: == 20240813095256 AddDisablePasswordAuthenticationForEnterpriseUsersToSamlProviders: migrating
ci: -- add_column(:saml_providers, :disable_password_authentication_for_enterprise_users, :boolean, {:default=>false})
ci: -> 0.0055s
ci: == 20240813095256 AddDisablePasswordAuthenticationForEnterpriseUsersToSamlProviders: migrated (0.0328s)
ci: == [advisory_lock_connection] object_id: 132020, pg_backend_pid: 11011bin/rails db:migrate:down:main VERSION=20240813095256 RAILS_ENV=test
main: == [advisory_lock_connection] object_id: 117760, pg_backend_pid: 11807
main: == 20240813095256 AddDisablePasswordAuthenticationForEnterpriseUsersToSamlProviders: reverting
main: -- remove_column(:saml_providers, :disable_password_authentication_for_enterprise_users, :boolean, {:default=>false})
main: -> 0.0026s
main: == 20240813095256 AddDisablePasswordAuthenticationForEnterpriseUsersToSamlProviders: reverted (0.0196s)
main: == [advisory_lock_connection] object_id: 117760, pg_backend_pid: 11807bin/rails db:migrate:down:ci VERSION=20240813095256 RAILS_ENV=test
ci: == [advisory_lock_connection] object_id: 117180, pg_backend_pid: 12157
ci: == 20240813095256 AddDisablePasswordAuthenticationForEnterpriseUsersToSamlProviders: reverting
ci: -- remove_column(:saml_providers, :disable_password_authentication_for_enterprise_users, :boolean, {:default=>false})
ci: -> 0.0026s
ci: == 20240813095256 AddDisablePasswordAuthenticationForEnterpriseUsersToSamlProviders: reverted (0.0199s)
ci: == [advisory_lock_connection] object_id: 117180, pg_backend_pid: 12157MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
How to set up and validate locally
- Make sure the GitLab instance simulates or a SaaS instance since Enterprise Users and group SAML SSO are SaaS features
- Create top-level group, configure and enable SAML authentication for this group.
- Configure "Automatic claims of enterprise users". For testing purposes on the local environment you can claim the user manually from the Rails console:
User.find_by_username('USERNAME').user_detail.update!(enterprise_group_id: GROUP_ID)- Create user account linked to the group SAML by creating user via the group's SAML IdP or linking existing user account to the group SAML
- Create user account that is not linked to the group SAML by creating user via
/users/sign_upform - Claim those users as enterprise users of the group, see step 3
- Confirm that it is possible to sign in into the enterprise users accounts by using username and password
- Disable password authentication for the group's enterprise users
- On the left sidebar, select Search or go to and find your group
- Select Settings > SAML SSO
- Under Configuration, select Disable password authentication for enterprise users
- Select Save changes
- Confirm that enterprise user account linked to the group SAML cannot sign in into their account by using by using username and password
- Confirm that enterprise user account linked to the group SAML can sign in via the group SAML SSO
- Confirm that enterprise user account that is not linked to the group SAML cannot sign in into their account by using by using username and password
- Confirm that enterprise user account that is not linked to the group SAML can sign in via the group SAML SSO
- Update one of the enterprise user's group SAML identity extern_uid to outdated value(
Identity.find_by(user: User.find_by_username('USERNAME'), saml_provider: Group.find(GROUP_ID).saml_provider).update!(extern_uid: 'outdated_extern_uid')) and confirm that the enterprise user still can sign in via the group SAML SSO and that it updates the SAML identityextern_uidto the value IdP provides - Confirm that those enterprise users can set up 2FA for their accounts(#428696 (closed))
Edited by Bogdan Denkovych