Enterprise users - Disallow Password Auth

Problem to solve

When a user is created via SAML/SCIM, the enterprise group administrator expects that that account will only be able to authenticate through their IdP. Users with accounts provisioned by SAML/SCIM can reset their password and log into their accounts without going through their organization's IdP. This creates concern that the account can become compromised and an organization's data could be exposed.

Proposal

If a user is created by SAML/SCIM, then password auth should be disabled by default. The user should not be able to reset their password.

One use case to consider is when the user is removed from the top-level group. We have to have a way for the user to be re-added to the group if/when they go back through the SAML flow.

We should put this feature behind a feature flag until &5299 is completed.

NOTE: Without password auth, Git+HTTPS will not be available for users without 2FA https://docs.gitlab.com/ee/gitlab-basics/start-using-git.html#git-authentication-methods

Availability & Testing

This section needs to be retained and filled in during the workflow planning breakdown phase of this feature proposal, if not earlier.

What risks does this change pose to our availability? This is a low risk for GitLab SaaS and self managed availability.

How might it affect the quality of the product? In an extreme case, password auth may get disabled for non SAML/SCIM setup.

What additional test coverage or changes to tests will be needed? Will it require cross-browser testing?

• Ensure that when a user is removed and re-added to SAML/SCIM enabled group, they are still unable to reset their password and login via password
• Ensure that Git via SSH continues to work