Mixed Login (SAML and User/Password). How can we disable password-Option for SAML-Users?

Hi Community,

I am posting this to general, please feel free to move if there is a better category (thanks!)

So, our gitlab-users are generally in our company and therefore login via SAML, which works great (aside from the problem stated here, which we also have…)

But in some projects, external people are invited via E-Mail, creating them a local account with user/password.
These need to be able to set and change a password.

But our SAML-Users should not be able to set a password, as it allows them to login directly.
This means, they can circumvent the SAML-Login, which is not possible after they have left the company.

Is there a technical way to prevent Users that are created via SAML from setting a password?

Many Thanks in Advance!

P.S. Yes, we are thinking about a organisational solution, i.e. disabling Users in gitlab as part of offboarding. But we like to be save here in case this workflow fails somehow … :wink:

Hi @domnirok

if you are running self-managed instance the short answer is no.

I am sorry to hear that, but thank you for the info.

We will solve the problem by creating a small script, that checks for every saml-user against our AD to see, if there is an active user.

If not, disable the gitlab user and send an e-mail.

Best regards,

You can follow and up vote this feature request where this functionality development is being tracked in Transparent SSO Enforcement for Self-Managed GitLab (#382917) · Issues · GitLab.org / GitLab · GitLab