We have SAML enabled for our users … but it seems that after logging in some users are setting a local GitLab password that is not very strong, nor is it MFA, nor does it expire. This obviously has security concerned.
- I think this should be a [feature request] that if ONLY SAML is enabled for an account they should not be able to set a local password. This should be higher level security option that is settable by the admin.
[ If a SAML only user tried to recover their password, the email should point them back to the SAML authenticator, rather than letting them set a new password ].
- Even forcing an unknown password to local accounts, the user can get around this by using the “I forgot my password”.
- https://docs.gitlab.com/ee/security/password_length_limits.html is a good start, but further password strength tests should be available such as the requirement to use at least 1 upper, 1 lower, 1 special character AND have at least >8 characters.
- Another [ Feature Request ] should be that MFA should be settable for external users (not the group). For customers that are using SAML and have MFA already enabled forcing another MFA (specially by a different provider) makes no sense.
Am I missing any other authenticated issues?