Disable password authentication for OmniAuth users
Adds a new configuration option to disable password authentication for users with an OmniAuth identity. This will work for SAML and all other non-form-based OmniAuth providers.
Among other things, this will enable self-managed customers to configure their instance in a way that results in SSO enforcement. That is, even when password authentication is enabled, users will be required to authenticate using their IdP, whatever that may be.
Original Description
Background
In Transparent SSO enforcement for group members o... (#215155 - closed), we modified SSO enforcement so that anyone with a SAML identity would have SSO enforced by default on GitLab.com.
We need to bring this same functionality to self-managed.
Proposal
Transparent SSO enforcement by default for self-managed GitLab
| Project/Group visibility | Enforce SSO for users with identity setting (NEW) | Password auth enabled (EXISTING) | Member with identity | Member without identity | Non-member or not signed in |
|---|---|---|---|---|---|
| Private | Off | Off | Not Enforced | Not enforced | Not enforced |
| Private | On | Off | Enforced | Not enforced | Not enforced |
| Private | On | On | Enforced | Enforced | Enforced |
| Public | Off | Off | Enforced | Not enforced | Not enforced |
| Public | On | Off | Enforced | Not enforced | Not enforced |
| Public | On | On | Enforced | Enforced | Not enforced |
Edited by Drew Blessing