Require group owner to have linked SAML before enabling Group Managed Accounts (!21721) · Merge requests · GitLab.org / GitLab

James Edwards-Jones requested to merge jej/prevent-enabling-group-managed-accounts-when-SSO-not-linked into master Dec 13, 2019

What

Prevent owner from enabling Group Managed Accounts if they haven't first linked SAML to their account.

Why

Fixes #39183 (closed) and #38021 (closed)

Allows us to proceed with rolling out Group Managed Accounts

SSO Enforcement would otherwise force them to go through the SAML linking process to access the group, which with Group Managed Accounts would result in a new user being created. Since this new user would be created as a guest the original owner would have no further control over the group and would be locked out.

Why not

In a way this is a temporary fix until we can convert users into group managed accounts.

Another workaround might be to detect if the user is signed in as an owner on the old account and set the new account up as an owner. This might be more smooth, but is more complicated and would need careful thought from a security perspective to avoid the wrong user taking over as owner.

Screenshots

Acceptance criteria

Conformity

Availability and Testing

Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
Tested in all supported browsers

Edited Jun 06, 2023 by Joe Randazzo

Require group owner to have linked SAML before enabling Group Managed Accounts