SAML SSO support for session timeout attribute

Release notes

Problem to solve

GitLab should be aware of and honor session expiration times that are set in an IdP.

Intended users

Sidney (Systems Administrator)

User experience goal

Proposal

Some IdPs allow setting session time policies and that information is sent in a SAML attribute "SessionNotOnOrAfter". GitLab should honor it and if we reach that time, check with the IdP to see if the user is still authorized. This shouldn't be a configuration toggle. If we find a value in this attribute then we can save it and reference it.

Further details

Providers that support the "SessionNotOnOrAfter" attribute:

Okta - No https://support.okta.com/help/s/question/0D50Z00008C3jYc/can-okta-support-sessionnotonorafter-for-custom-saml-applications?language=en_US
Azure - They support a different element https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol#conditions
Google - Maybe? Can't find how to set it.
OneLogin - Yes https://developers.onelogin.com/saml/examples/response
JumpCloud - Yes https://support.jumpcloud.com/support/s/article/Security-Settings-Session-Settings https://support.jumpcloud.com/support/s/article/single-sign-on-sso-with-evernote-2019-08-21-10-36-47
Auth0 - No https://community.auth0.com/t/how-do-i-configure-the-saml-sessionnotonorafter-property-within-the-auth0-platform/44637

SAML SSO support for session timeout attribute

Release notes

Problem to solve

Intended users

User experience goal

Proposal

Further details

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references