Add a SAML Authentication Button
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Proposal
A large Premium, Self-Managed customer reported an issue with MFA resets. They have a GitLab instance that is integrated with SAML SSO and users login either using SSO or a local user account. These users, while originally created via the GitLab UI or API, are now using the customer's SSO provider to login. This instance is accessed by the customer's internal employees and their partners who cannot use their SSO. These particular users who cannot use the SSO will continue to use local user accounts.
When a user (customer employee who uses SAML SSO) needs an MFA reset, they try to disable the MFA first to setup a new device. The disable MFA screen prompts for the current password and irrespective of the user entering the SSO password or their local account's password, none of them works. When the user enters their original local user password in the disable MFA screen it brings up a HTTP 422 page. If they enter the SSO password, it says 'invalid current password'.
The workaround is for the admins to create a dummy/temporary password and share it with the user. The user will then need to login using that and reset the MFA. We believe once the user starts using the SAML SSO the system kind of loses track of the local account and the user is migrated internally to a SAML user.
While they understand the documented workaround, the ideal solution would be having a SAML authentication button rather than being prompted for a password.