Allow recovery key use for SSO-enabled GitLab.com groups
Description
If SSO enforcement is enabled, the identity provider becomes a critical path for being able to sign-in and maintain/configure the group. If a group owner enables this option and cannot sign-in (identity provider configuration malformed, identity provider is down, etc), the group becomes unusable until recovered by Support.
When enabling SSO enforcement, we should give the user enabling it a recovery mechanism in the event of SSO failure. This could be a recovery key (used as a URL parameter?).
Proposal
- A group Owner should be able to generate a set of recovery codes for a group.
- A group Owner should be able to use a code to regain access to recover the group (by accessing the group, including the settings page, for a limited amount of time).
Edited by Jeremy Watson (ex-GitLab)