Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1556-modify-authentication-process

VIEW RULE IN DATADOG VIEW SIGNALS

Set up the gitlab integration.

Goal

Detects when SAML Single Sign-On (SSO) enforcement is disabled for a GitLab group. Disabling SSO enforcement removes authentication controls and may indicate unauthorized access or persistence attempts.

Strategy

This rule monitors GitLab audit events for true to false configuration changes related to SSO, specifically “Group SAML SSO configuration changed: enforced_sso changed from true to false”. SAML SSO enforcement ensures group members authenticate through the organization’s identity provider before accessing GitLab resources. When this enforcement is disabled, users can potentially bypass centralized authentication controls, creating security gaps that attackers may exploit for persistence or to maintain access after initial compromise.

Triage & Response

• Verify if {{@usr.name}} has legitimate administrative authority to modify SAML SSO settings for the affected GitLab group.
• Review the timing of the SSO configuration change to determine if it correlates with any suspicious authentication or access patterns.
• Examine recent authentication logs for the affected group to identify any users who may have accessed resources without proper SAML authentication.
• Check if the SSO configuration change was part of an authorized maintenance window or system update.
• Determine if other security configurations for the group were modified around the same time period.