Allow Group Owners to Selectively Bypass Email Validation using a Group Verified Domain

Problem to solve

Our Commercial customers have expressed interest in a way to add users to their groups without validating their emails. The theory is, if they come through their SSO solution, they should not need to be verified again in GitLab. Since this could result in a security issue, the verifying of emails coming through SSO should be limited to domains the customer proves ownership over. Related to #23611 (closed). If an email added through SSO does not belong to the customer's group verified domain(s), then it should require extra validation. We should not automatically validate emails for any other domains coming through SSO.

Intended users

• Cameron (Compliance Manager)
• Sidney (Systems Administrator)
• Sam (Security Analyst)
• Alex (Security Operations Engineer)

User experience goal

Users coming to GitLab from corporate SSO should have a seamless adoption experience if the customer has already verified ownership of their corporate domains.

Proposal

Allow customers to add verified domains to their GitLab.com hosted group as described in #23611 (closed). The framework for such a feature already exists within Pages Custom domains and SSL/TLS Certificates. We can then use that verified domain to auto-verify account emails that belong to that verified domain. We could expand this a little more and prevent users from adding additional emails to these types of accounts. Tying into and further locking down Group Managed Accounts.

Further details

When users are added through SSO that do not have resolvable emails, they are unable to validate them. Since SaaS users do to have access to admin tools, users need to open a support ticket to resolve. We have customers that run into this issue on a regular basis, requiring many tickets to validate those accounts. We should make it easier for companies and their employees to adopt and grow their userbase, with as little friction to getting started as possible, while also keeping their groups secure.

Permissions and Security

Only group Owners should be able to verify a corporate domain and enable the verification bypass on that verified domain. Both in the UI and via the API.

Documentation

• Group Managed Accounts - amended to add the auto-verify option. Describing that feature is available after a domain is verified.
• GitLab authentication and authorization - all providers updated to note how to enable the bypass of validation for verified emails.
• Group Advanced Settings - describes how to verify the domain in their group.

Self-managed customers can already bypass the validation by disabling User email confirmation at sign-up. They also have admin rights, so can do all of the things described in Updating to GitLab 13.2: Email confirmation issues

Availability & Testing

What does success look like, and how can we measure that?

Success is customer SSO accounts being created with their corporate domains without any friction. Measured by the reduction in support tickets and requests to verify corporate domain accounts.

What is the type of buyer?

• Skyler (Chief Information Security Officer)

For the SSO validation bypass, the tier could be Ultimate/Gold based on the type of buyer. It would fit better in Premium/Silver with the rest of the Group SSO features. This feature was initially requested by a current Ultimate customer - https://gitlab.my.salesforce.com/0016100000KvahJ (Internal) and entered on their behalf.

Is this a cross-stage feature?

Based on the proposal, suspect the following groups/stages:

• devopsmanage ~"group::access" groupcompliance
• devopscreate ~"group::static site editor" ~"group::ecosystem"

Links / references

Directly related to Group domain verification

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.