Allow the auto_sign_in parameter to be ignored by changing a setting in the gitlab.rb
Problem to solve
We want to FORCE users to use SAML SSO, but retain the ability to fall back to local auth in the event that our SSO provider is down. If we use the setting in the GUI to disable password logins, there is no way to revert it when the provider is down. Therefore, we are requesting that a switch be placed in the gitlab.rb config file that would allow this to be toggled. This way, the setting can be changed via SSH and reconfigure instead of required a login to the GUI to get to the settings pages. We force auto_sign_in but if a user passes the parameter from the browser with a false value, they are allowed to login with a local user/password. This workaround is what we want to be able to toggle on and off from the config file.
Intended users
This change is relevant to any organization using SAML authentication who wishes to enforce logins only through their SSO provider while retaining an emergency fallback option that doesn't leave the door open.
Further details
This is intended to increase the security of Gitlab (requiring SSO rather than allowing a local username/password override to exist), while still allowing administrators and emergency fallback option in the event of an outage. Importantly, to use the fallback requires active changes to be made to the gitlab config file (and a reconfigure run).
Proposal
Ideally, whatever is changed by the setting to disable password login via the GUI should be exposed in the gitlab.rb config file. Alternatively or possible in addition, a switch in the gitlab.rb that can make the auto_sign_in=false check get ignored (source for this check: https://gitlab.com/gitlab-org/gitlab-ee/blob/master/app/controllers/sessions_controller.rb#L175). I am open to both solutions if GL support is guaranteeing that the latter change is all that is required to ensure users are only authenticated via SSO provider when this variable is ignored.
Permissions and Security
N/A
Documentation
N/A
Testing
I commented out the check in my local install for testing, but this is a bad solution long term as I want my installation to match official codebase.
What does success look like, and how can we measure that?
Success would be that there is no way for a user to login without using the SSO provider, unless in the case of an emergency, an admin with SSH access to the Gitlab server changes the value in the gitlab.rb and runs a reconfigure, to disable the forced auto_login.