Disable Arkose for Group SAML users
What does this MR do and why?
When registering, signing up or verifying identity, skip Arkose verification for group SAML users.
When unconfirmed group SAML users try to login with email + password combination in the /users/sign_in
form, they get an Arkose score. When the assigned score is medium or high, they cannot login through SAML anymore. The only workaround is to request a new password, login with email + new password and complete identity verification.
Issue: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/421
How to set up and validate locally
- Configure GitLab for SCIM
- Configure an identity provider
- Provision a user from the identity provider
- SAML sign in from the identity provider
- Verify the message
Please confirm your email address
is shown on the sign in page - Try to login with the new provisioned user's email address and a random password
- Confirm the new user's email address
- SAML sign in from the identity provider
- Verify login is successful
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Alex Buijs