Disabling Access Tokens for Disabled SAML Users

Our company has a private instance of GitLab CE running, which we use for our internal software development projects.

To minimize credentials sprawl, we have GitLab configured to require that users be authenticated and authorized through SAML against an identity provider.

One of the important requirements we have is that when an employee leaves the company or a contractor’s project ends, the corresponding user account is disabled in the identity provider, and that this action disable that user’s access to all systems that rely on that identity provider (i.e., we don’t have to remember to go through a bunch of separate systems and see if there’s a user account there for that person).

While this approach works for the browser-based access to GitLab, users are free to generate their own Personal Access Tokens (PATs) in GitLab, which don’t necessarily have a short expiration. Our concern is that, even though we’ve disabled a user in the directory, the PATs would still give that user access to many GitLab functionalities (fetching repositories, registry access, etc.).

Aside from network-level protections (installing GitLab in a private network, implement IP whitelisting), are there any other recommendations for addressing this issue? Is it possible to have a policy that requires PATs to be short-lived?

Thank you,