diff --git a/doc/user/group/saml_sso/index.md b/doc/user/group/saml_sso/index.md
index 5a56860362386d1c0e635fcdaaf38ce457858c30..d056839c1673693f84946b6ca09fed35c1ae25aa 100644
--- a/doc/user/group/saml_sso/index.md
+++ b/doc/user/group/saml_sso/index.md
@@ -513,7 +513,7 @@ Alternatively, the SAML response may be missing the `InResponseTo` attribute in
The identity provider administrator should ensure that the login is
initiated by the service provider and not the identity provider.
-### Message: "Login to a GitLab account to link with your SAML identity"
+### Message: "Sign in to GitLab to connect your organization's account"
A user can see this message when they are trying to [manually link SAML to their existing GitLab.com account](#linking-saml-to-your-existing-gitlabcom-account).
diff --git a/ee/app/controllers/groups/omniauth_callbacks_controller.rb b/ee/app/controllers/groups/omniauth_callbacks_controller.rb
index 2920bff556db90316d94a759bc9f05b11b4002ee..4156ab02e9fa2556e05e1ef84152274691bd32fb 100644
--- a/ee/app/controllers/groups/omniauth_callbacks_controller.rb
+++ b/ee/app/controllers/groups/omniauth_callbacks_controller.rb
@@ -31,7 +31,7 @@ def link_identity(identity_linker)
override :redirect_identity_linked
def redirect_identity_linked
- flash[:notice] = "SAML for #{@unauthenticated_group.name} was added to your connected accounts"
+ flash[:notice] = s_("SAML|Your organization's SSO has been connected to your GitLab account")
redirect_to after_sign_in_path_for(current_user)
end
@@ -116,7 +116,7 @@ def fail_login(user)
end
def redirect_to_login_or_register
- notice = "Login to a GitLab account to link with your SAML identity"
+ notice = s_("SAML|Sign in to GitLab to connect your organization's account")
after_gitlab_sign_in = sso_group_saml_providers_path(@unauthenticated_group)
diff --git a/ee/app/controllers/groups/sso_controller.rb b/ee/app/controllers/groups/sso_controller.rb
index bb94aaa6262446d990f8b22fabaaeb1862253c6d..bd73141f762088e7d7593f3ec3ce4bee69fe5335 100644
--- a/ee/app/controllers/groups/sso_controller.rb
+++ b/ee/app/controllers/groups/sso_controller.rb
@@ -23,7 +23,6 @@ def saml
@group_path = unauthenticated_group.path
@group_name = unauthenticated_group.full_name
@group_saml_identity = linked_identity
- @idp_url = unauthenticated_group.saml_provider.sso_url
@auto_redirect_to_provider = current_user&.group_sso?(unauthenticated_group)
render layout: 'devise_empty' if @auto_redirect_to_provider
diff --git a/ee/app/views/groups/sso/saml.html.haml b/ee/app/views/groups/sso/saml.html.haml
index 1f8731f0bb1a1f2301dcc04379385f461f7b497a..ff3ed6d320b8a1ddb22062120ad4b1d46478fd36 100644
--- a/ee/app/views/groups/sso/saml.html.haml
+++ b/ee/app/views/groups/sso/saml.html.haml
@@ -11,18 +11,12 @@
.login-body.gl-px-5.gl-pt-5
- if @group_saml_identity || !user_signed_in?
%h4.gl-mt-0= _('Sign in to "%{group_name}"') % { group_name: @group_name }
+ %p= s_('SAML|To access "%{group_name}" you must sign in with your Single Sign-On account, through an external sign-in page.') % { group_name: @group_name }
+ = saml_link _('Sign in'), @group_path, html_class: 'btn btn-confirm btn-md gl-button btn-block qa-saml-sso-signin-button', redirect: @redirect_path
- else
- %h4.gl-mt-0= _('Allow "%{group_name}" to sign you in') % { group_name: @group_name }
-
- %p= _('The "%{group_path}" group allows you to sign in with your Single Sign-On Account') % { group_path: @group_path }
-
- - if @group_saml_identity || !user_signed_in?
- %p= _("This will redirect you to an external sign in page.")
-
- = saml_link _('Sign in with Single Sign-On'), @group_path, html_class: 'btn btn-confirm btn-md gl-button btn-block qa-saml-sso-signin-button', redirect: @redirect_path
- - else
+ %h4.gl-mt-0= s_('Allow "%{group_name}" to sign you in') % { group_name: @group_name }
+ %p= s_('SAML|The "%{group_path}" group allows you to sign in with your Single Sign-On Account.') % { group_path: @group_path }
= render Pajamas::AlertComponent.new(variant: :warning, dismissible: false, alert_options: { class: 'gl-mb-5 gl-word-break-word' }) do |c|
= c.body do
- = _("Only proceed if you trust %{idp_url} to control your GitLab account sign in.") % { idp_url: @idp_url }
-
+ = s_('SAML|Selecting "Authorize" will transfer ownership of your GitLab account "%{username}" (%{email}) to your organization.') % { username: current_user.username, email: current_user.email }
= saml_link _('Authorize'), @group_path, html_class: 'btn btn-confirm btn-md gl-button btn-block qa-saml-sso-signin-button'
diff --git a/ee/spec/controllers/groups/omniauth_callbacks_controller_spec.rb b/ee/spec/controllers/groups/omniauth_callbacks_controller_spec.rb
index e93da0194becd75421d16d4bfbf4034271fab8c8..97ac6f2fcf1d0f84d0f6b534a2e144b888e4cfec 100644
--- a/ee/spec/controllers/groups/omniauth_callbacks_controller_spec.rb
+++ b/ee/spec/controllers/groups/omniauth_callbacks_controller_spec.rb
@@ -145,7 +145,7 @@ def stub_last_request_id(id)
it "displays a flash message verifying group sign in" do
post provider, params: { group_id: group }
- expect(flash[:notice]).to eq('Login to a GitLab account to link with your SAML identity')
+ expect(flash[:notice]).to eq(s_("SAML|Sign in to GitLab to connect your organization's account"))
end
it 'does not add linked identity' do
@@ -213,7 +213,7 @@ def stub_last_request_id(id)
it "displays a flash indicating the account has been linked" do
post provider, params: { group_id: group }
- expect(flash[:notice]).to match(/SAML for .* was added/)
+ expect(flash[:notice]).to eq(s_("SAML|Your organization's SSO has been connected to your GitLab account"))
end
it 'logs group audit event for being added to the group' do
@@ -268,7 +268,7 @@ def stub_last_request_id(id)
post provider, params: { group_id: group }
expect(response).to redirect_to(new_user_session_path)
- expect(flash[:notice]).to start_with("Login to a GitLab account to link with your SAML identity")
+ expect(flash[:notice]).to eq(s_("SAML|Sign in to GitLab to connect your organization's account"))
end
end
diff --git a/ee/spec/features/groups/saml_enforcement_spec.rb b/ee/spec/features/groups/saml_enforcement_spec.rb
index a870ae52a98c89fd5d6b207d5452db69943e2a1a..2b1e6b468bb68299b3dc6d48cbe1ee9f333eceb8 100644
--- a/ee/spec/features/groups/saml_enforcement_spec.rb
+++ b/ee/spec/features/groups/saml_enforcement_spec.rb
@@ -109,7 +109,7 @@
it 'shows loading screen and link used for auto-redirect' do
visit group_path(group)
- click_link 'Sign in with Single Sign-On'
+ click_link 'Sign in'
days_after_timeout = Gitlab::Auth::GroupSaml::SsoEnforcer::DEFAULT_SESSION_TIMEOUT + 2.days
travel_to(days_after_timeout.from_now) do
@@ -129,7 +129,7 @@
expect(current_url).to include("redirect=#{CGI.escape(resource_path)}")
- click_link 'Sign in with Single Sign-On'
+ click_link 'Sign in'
# Capybara's have_current_path matcher checks the path and query string
expect(page).to have_current_path(resource_path)
diff --git a/ee/spec/features/groups/saml_providers_spec.rb b/ee/spec/features/groups/saml_providers_spec.rb
index c21eb1f728fbc7a5a13b3e5f334ff99200fa6268..41a88f8842d81c39388cf7f5409b1a6147c28f79 100644
--- a/ee/spec/features/groups/saml_providers_spec.rb
+++ b/ee/spec/features/groups/saml_providers_spec.rb
@@ -227,7 +227,6 @@ def stub_saml_config
expect(page).to have_content('SAML SSO')
expect(page).to have_content("Sign in to \"#{group.full_name}\"")
- expect(page).to have_content('Sign in with Single Sign-On')
end
end
@@ -240,7 +239,6 @@ def stub_saml_config
visit sso_group_saml_providers_path(group)
expect(page).to have_content(/Allow .* to sign you in/)
- expect(page).to have_content(saml_provider.sso_url)
expect(page).to have_content('Authorize')
end
@@ -251,7 +249,7 @@ def stub_saml_config
click_link 'Authorize'
- expect(page).to have_content(/SAML for .* was added to your connected accounts/)
+ expect(page).to have_content("Your organization's SSO has been connected to your GitLab account")
expect(user.identities.last.extern_uid).to eq external_uid
end
@@ -282,7 +280,7 @@ def stub_saml_config
it 'warns user that their account is locked' do
visit sso_group_saml_providers_path(group)
- click_link 'Sign in with Single Sign-On'
+ click_link 'Sign in'
expect(page).to have_content('Your account is locked.')
end
@@ -295,7 +293,7 @@ def stub_saml_config
it 'warns user their account is locked' do
visit sso_group_saml_providers_path(group)
- click_link 'Sign in with Single Sign-On'
+ click_link 'Sign in'
expect(page).to have_content('Your account is locked.')
expect(page).to have_current_path sso_group_saml_providers_path(group), ignore_query: true
diff --git a/ee/spec/features/users/login_spec.rb b/ee/spec/features/users/login_spec.rb
index 7f0c02e6227e22f7310a0d1c453b5b2137e947c9..067925b5341681a5dbd23293181ccc071d5b941f 100644
--- a/ee/spec/features/users/login_spec.rb
+++ b/ee/spec/features/users/login_spec.rb
@@ -222,7 +222,7 @@
it 'shows U2F prompt after SAML' do
visit sso_group_saml_providers_path(group, token: group.saml_discovery_token)
- click_link 'Sign in with Single Sign-On'
+ click_link 'Sign in'
expect(page).to have_content('Trying to communicate with your device')
expect(page).to have_link('Sign in via 2FA code')
@@ -243,7 +243,7 @@
it 'shows WebAuthn prompt after SAML' do
visit sso_group_saml_providers_path(group, token: group.saml_discovery_token)
- click_link 'Sign in with Single Sign-On'
+ click_link 'Sign in'
# Mock the webauthn procedure to neither reject or resolve, just do nothing
# Using the built-in credentials.get functionality would result in an SecurityError
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 526e30a794c11e1587662da54a9554205e26efa3..b97c4e6ec289d3af884ceab23f6375b75f9f02dd 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -33481,6 +33481,21 @@ msgstr ""
msgid "SAML for %{group_name}"
msgstr ""
+msgid "SAML|Selecting \"Authorize\" will transfer ownership of your GitLab account \"%{username}\" (%{email}) to your organization."
+msgstr ""
+
+msgid "SAML|Sign in to GitLab to connect your organization's account"
+msgstr ""
+
+msgid "SAML|The \"%{group_path}\" group allows you to sign in with your Single Sign-On Account."
+msgstr ""
+
+msgid "SAML|To access \"%{group_name}\" you must sign in with your Single Sign-On account, through an external sign-in page."
+msgstr ""
+
+msgid "SAML|Your organization's SSO has been connected to your GitLab account"
+msgstr ""
+
msgid "SAST Configuration"
msgstr ""
@@ -38180,9 +38195,6 @@ msgstr ""
msgid "That's it, well done!"
msgstr ""
-msgid "The \"%{group_path}\" group allows you to sign in with your Single Sign-On Account"
-msgstr ""
-
msgid "The %{link_start}true-up model%{link_end} allows having more users, and additional users will incur a retroactive charge on renewal."
msgstr ""
@@ -39653,9 +39665,6 @@ msgstr ""
msgid "This will invalidate your registered applications and U2F devices."
msgstr ""
-msgid "This will redirect you to an external sign in page."
-msgstr ""
-
msgid "This will remove the fork relationship between this project and %{fork_source}."
msgstr ""
diff --git a/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_enforced_sso_new_account_spec.rb b/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_enforced_sso_new_account_spec.rb
index 038fd7cf0a5357af620616b6399bbf22a6b39629..d2b6fb59f2730ecd0c83124f21efa9363613c67e 100644
--- a/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_enforced_sso_new_account_spec.rb
+++ b/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_enforced_sso_new_account_spec.rb
@@ -72,7 +72,7 @@ module QA
Flow::Saml.login_to_idp_if_required(idp_user.username, idp_user.password)
- expect(page).to have_text("Login to a GitLab account to link with your SAML identity")
+ expect(page).to have_text("Sign in to GitLab to connect your organization's account")
Flow::Saml.logout_from_idp(saml_idp_service)
diff --git a/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_non_enforced_sso_spec.rb b/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_non_enforced_sso_spec.rb
index 08d23fc3e8439790cde20374223ba8f4662885b6..c4e9869769aa4a6b9cb1120858c9aaf745721b24 100644
--- a/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_non_enforced_sso_spec.rb
+++ b/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_non_enforced_sso_spec.rb
@@ -39,7 +39,7 @@ module QA
EE::Page::Group::SamlSSOSignIn.perform(&:click_sign_in)
Flow::Saml.login_to_idp_if_required('user3', 'user3pass')
- expect(page).to have_content("SAML for #{@group.path} was added to your connected accounts")
+ expect(page).to have_content("Your organization's SSO has been connected to your GitLab account")
member_details = @group.list_members.find { |item| item['username'] == user.username }
@@ -58,7 +58,7 @@ module QA
Flow::Saml.login_to_idp_if_required('user1', 'user1pass')
- expect(page).to have_content("SAML for #{@group.path} was added to your connected accounts")
+ expect(page).to have_content("Your organization's SSO has been connected to your GitLab account")
page.visit managed_group_url