Allow recovery key use for SSO-enabled GitLab.com groups

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Description

If SSO enforcement is enabled, the identity provider becomes a critical path for being able to sign-in and maintain/configure the group. If a group owner enables this option and cannot sign-in (identity provider configuration malformed, identity provider is down, etc), the group becomes unusable until recovered by Support.

When enabling SSO enforcement, we should give the user enabling it a recovery mechanism in the event of SSO failure. This could be a recovery key (used as a URL parameter?).

Proposal

A group Owner should be able to generate a set of recovery codes for a group.
A group Owner should be able to use a code to regain access to recover the group (by accessing the group, including the settings page, for a limited amount of time).

Edited Aug 28, 2025 by 🤖 GitLab Bot 🤖