Do not require SSO to be enforced for Group Managed Accounts to be enabled [Design]
Group Owner UX: When GMA is enabled, we should generate a list of users with email ID's that do not comply with the group's whitelisted domain, including a message along the lines of:
These users have not been removed, but have been temporarily blocked from this group and will need to authorise their account to be managed by your group in order to proceed. If they do not reauthorise, they will need to create a new GitLab.com account with a whitelisted email ID.
Group Member UX - Non whitelisted: When a Group Member is temporarily blocked after GMA is turned on they see a page with a banner message explaining that GMA is enabled and only these whitelisted domains have access to it. They see two options:
They can authorise that their account to be managed by the group, if they click authorise and are logged into an account with an email ID that is not whitelisted for that group, they will be denied and asked to either update their email address OR:
They can click log out and register for a GitLab.com account with an email ID that's whitelisted.
- Group Member UX - Whitelisted: These group members are logged out of the group and asked to do one of the following:
They can authorise that their account to be managed by the group
They can click log out and register for a GitLab.com account with a different email ID that's also whitelisted, if they prefer not to have the group manage that specific account.
See the screenshots here: !24329 (merged) as an example.
Since they are still technically in the group but just blocked, they should still be able to see this page and not a 404 page unless the group owner removes them from the group.
Exact copy TBD.
Why is this important?
Please see the problem statement outlined here.