Merge branch 'dblessing-group-audit-events-saml-sso' into 'master'

Group-level audit event for Group SAML SSO

Closes #35710

See merge request gitlab-org/gitlab!28575

doc/administration/audit_events.md

@@ -41,6 +41,7 @@ From there, you can see the following actions:
 - Group created or deleted
 - Group changed visibility
 - User was added to group and with which [permissions]
+- User sign-in via [Group SAML](../user/group/saml_sso/index.md)
 - Permissions changes of a user assigned to a group
 - Removed user from group
 - Project added to group and with which visibility level

ee/app/controllers/groups/omniauth_callbacks_controller.rb

@@ -153,4 +153,10 @@ class Groups::OmniauthCallbacksController < OmniauthCallbacksController
       sso_group_saml_providers_path(group)
     end
   end
+
+  override :log_audit_event
+  def log_audit_event(user, options = {})
+    AuditEventService.new(user, @unauthenticated_group, options)
+      .for_authentication.security_event
+  end
 end

ee/changelogs/unreleased/dblessing-group-audit-events-saml-sso.yml

+---
+title: Create group-level audit event for Group SAML SSO sign in
+merge_request: 28575
+author:
+type: added

ee/spec/controllers/groups/omniauth_callbacks_controller_spec.rb

@@ -68,6 +68,16 @@ describe Groups::OmniauthCallbacksController do
         expect(response).to redirect_to('/explore')
       end
 
+      it 'logs group audit event for authentication' do
+        audit_event_service = instance_double(AuditEventService)
+
+        expect(AuditEventService).to receive(:new).with(user, group, with: provider)
+          .and_return(audit_event_service)
+        expect(audit_event_service).to receive_message_chain(:for_authentication, :security_event)
+
+        post provider, params: { group_id: group }
+      end
+
       include_examples 'works with session enforcement'
     end