Merge branch 'docs-group-managed-accounts' into 'master'

Documentation MVC for group managed accounts Closes gitlab-ee#12526 See merge request gitlab-org/gitlab-ce!30876

Merge branch 'docs-group-managed-accounts' into 'master'
Documentation MVC for group managed accounts Closes gitlab-ee#12526 See merge request gitlab-org/gitlab-ce!30876
4a772d50 · Achilleas Pipinellis · 18982869 · 8987e78b · 4a772d50
Commit 4a772d50 authored Aug 21, 2019 by Achilleas Pipinellis
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 0 deletions

doc/user/group/saml_sso/index.md doc/user/group/saml_sso/index.md +19 -0

No files found.
--- a/doc/user/group/saml_sso/index.md
+++ b/doc/user/group/saml_sso/index.md
@@ -39,6 +39,25 @@ However, users will not be prompted to log via SSO on each visit. GitLab will ch

 We intend to add a similar SSO requirement for [Git and API activity](https://gitlab.com/gitlab-org/gitlab-ee/issues/9152) in the future.

+#### Group-managed accounts
+
+[Introduced in GitLab 12.1](https://gitlab.com/groups/gitlab-org/-/epics/709).
+
+When SSO is being enforced, groups can enable an additional level of protection by enforcing the creation of dedicated user accounts to access the group.
+
+Without group-managed accounts, users can link their SAML identity with any existing user on the instance. With group-managed accounts enabled, users are required to create a new, dedicated user linked to the group. The notification email address associated with the user is locked to the email address received from the configured identity provider.
+
+When this option is enabled:
+
+- All existing and new users in the group will be required to log in via the SSO URL associated with the group.
+- On successfully authenticating, GitLab will prompt the user to create a new, dedicated account using the email address received from the configured identity provider.
+- After the group managed account has been created, group activity will require the use of this user account.
+
+Since use of the group managed account requires the use of SSO, users of group managed accounts will lose access to these accounts when they are no longer able to authenticate with the connected identity provider. In the case of an offboarded employee who has been removed from your identity provider:
+
+- The user will be unable to access the group (their credentials will no longer work on the identity provider when prompted to SSO).
+- Contributions in the group (e.g. issues, merge requests) will remain intact.
+
 ### NameID

 GitLab.com uses the SAML NameID to identify users. The NameID element: