Disable Arkose for Group SAML users (!124743) · Merge requests · GitLab.org / GitLab

Alex Buijs requested to merge disable-arkose-for-group-saml-users into master Jun 27, 2023

What does this MR do and why?

When registering, signing up or verifying identity, skip Arkose verification for group SAML users.

When unconfirmed group SAML users try to login with email + password combination in the /users/sign_in form, they get an Arkose score. When the assigned score is medium or high, they cannot login through SAML anymore. The only workaround is to request a new password, login with email + new password and complete identity verification.

Issue: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/421

How to set up and validate locally

Configure GitLab for SCIM
Configure an identity provider
Provision a user from the identity provider
SAML sign in from the identity provider
Verify the message Please confirm your email address is shown on the sign in page
Try to login with the new provisioned user's email address and a random password
Confirm the new user's email address
SAML sign in from the identity provider
Verify login is successful

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Jun 28, 2023 by Alex Buijs

Disable Arkose for Group SAML users

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports