allow oauth login direct to group level url instead of gitlab.com

[cforce]

We have an group on gitlab.com which is secured by SAML. That means if you use the url "gitlab.com/groups/mycompany" you will be redirected to the company SSO and forced to login via the company saml SSO provider. The issue is that if i register with "/gitlab connect" i get an url created in mattermost which sends me to gitlab.com instead of gitlab.com/groups/mycompany and there i only get the standard gitlab auth sso provider but not the company SSO login redirect. Finally i am not able to login and worst case user enters secret creds into the public gitlab oauth provider login from. Is there a way to configure what url is used on "/gitlab connect and directly sent it to group level. I already configured to restrict on group mycompany which did not solve my issue.

[nab-77]

@mickmister is this an enhancement or bug?

[mickmister]

@cforce Thanks for filing this issue. Are you able to provide a minimal reproducible GitLab config that will help me investigate this further? I'm not sure how to reproduce your environment with SAML and GitLab groups. Also, did you install the OAuth app within the group's applications specifically like https://gitlab.com/groups/mycompany/-/settings/applications, as opposed to https://gitlab.com/-/profile/applications?

@nab-77 At the moment I believe this is not supported. The URL we redirect the user to is an OAuth authorization URL https://gitlab.com/oauth/authorize. GitLab's OAuth docs don't mention any support about specifying groups https://docs.gitlab.com/ee/api/oauth2.html. At the moment, I don't see a way to configure this URL to use the SAML authentication.

[fabwamb]

The application entry exists and there are no options which can have any impact on the url that is used to make sure the Group SAML IDP is used. Maybe related to https://gitlab.com/gitlab-org/gitlab/-/issues/215155#note_1118714027