Create setting to force the user to register/use new credentials for a specific group
Description
While developing group SAML, customers described a desire to have division between personal and professional credentials. Currently on GitLab.com, a user is able to auth into a SAML-enabled group and use their pre-existing personal account.
While they lose access to any connected groups when they're deprovisioned, there's still a desire to keep these two sets of credentials separate. Thus, when the user moves on from the company/their contract expires, they simply lose access to the dedicated account.
Proposal
Create a setting for a SSO-connected group, that when enabled:
- When a user SSOs into the group, we check for a link between a user and that specific group.
- If that link does not exist, the user must create a new user. After registration has been completed, we establish this link between the new user and the group.
- If that link does exist (the user is associated with the group), allow the user access to the group or requested resource.
- If a dedicated user is removed from the linked group, they should not be able to log into GitLab.com with that account.
If the group already exists (and has never turned this option on), all members of the group will be required to create new users. When enabling this setting for an existing group, we should warn the user making the change of this consequence (e.g. "all X members of your group will be required to create unique accounts").
Solution
SAML disabled | SAML enabled | Enforce SSO enabled | Group managed accounts enabled |
---|---|---|---|
![]() |
![]() |
![]() |
![]() |