Validate that SAML requests are originated from gitlab

If the request wasn't initiated by gitlab we shouldn't add the new identity to the user, and instead show that we weren't able to link the identity to the user. This should fix: https://gitlab.com/gitlab-org/gitlab-ce/issues/56509
author: Sebastian Arcila Valenzuela <sarcila@gitlab.com> 2019-08-19 16:19:19 +0300
committer: Sebastian Arcila Valenzuela <sarcila@gitlab.com> 2019-09-20 17:53:51 +0300
commit: 2b94f55325c737c6acc6866799a0188abc180cf3 (patch)
tree: e11f76b30d23afee90fbb4deeaf29cb6033b3b85 /changelogs
parent: 2cacd021284f9396360a4ac9ef99cee5b96e4ef2 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/changelogs/unreleased/security-sarcila-verify-saml-request-origin.yml b/changelogs/unreleased/security-sarcila-verify-saml-request-origin.yml
new file mode 100644
index 00000000000..9022bc8a26f
--- /dev/null
+++ b/changelogs/unreleased/security-sarcila-verify-saml-request-origin.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent GitLab accounts takeover if SAML is configured
+merge_request:
+author:
+type: security
author	Sebastian Arcila Valenzuela <sarcila@gitlab.com>	2019-08-19 16:19:19 +0300
committer	Sebastian Arcila Valenzuela <sarcila@gitlab.com>	2019-09-20 17:53:51 +0300
commit	2b94f55325c737c6acc6866799a0188abc180cf3 (patch)
tree	e11f76b30d23afee90fbb4deeaf29cb6033b3b85 /changelogs
parent	2cacd021284f9396360a4ac9ef99cee5b96e4ef2 (diff)