Disabling user ability to disconnect from a service sign-in
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Currently users can disable service sign-in in their account settings https://gitlab.example.com/-/profile/account
E.g. to disconnect Azure AD as the OAuth based authentication:
This removes their Azure identity from their GitLab account:
This creates a problem for GitLab instances that lock down user sign-in to only Azure AD, i.e. when password based login is disabled. The "Disconnect Azure AD" feature in the user settings appears not to synchronise with Azure, meaning that when the same person tries to log in with Azure AD, their identity is already known to the Azure AD app, so are presented with this GitLab 422 error:
Sometimes, as in our case, we have deliberately restricted log in options to just one: OAuth using Azure. If a user disconnects this sign-in service then they are essentially locking themselves out of their GitLab account.
One solution suitable for this scenario would be to allow administrators to disable the ability for users to disconnect service sign-in's for their account, i.e. to remove the feature shown in the first screenshot above. This could be achieved either with a new key/value setting in gitlab.rb on the server, or preferably in the admin area on the website in https://gitlab.example.com/admin