Merge branch '225503-document-omniauth-social-sign-in-password-security' into 'master'

Resolve "Document OmniAuth/Social sign-in password security"

See merge request gitlab-org/gitlab!39413

doc/administration/auth/smartcard.md

@@ -310,6 +310,10 @@ attribute. As a prerequisite, you must use an LDAP server that:
 1. Save the file and [restart](../restart_gitlab.md#installations-from-source)
    GitLab for the changes to take effect.
 
+## Passwords for users created via smartcard authentication
+
+The [Generated passwords for users created through integrated authentication](../../security/passwords_for_integrated_authentication_methods.md) guide provides an overview of how GitLab generates and sets passwords for users created via smartcard authentication.
+
 <!-- ## Troubleshooting
 
 Include any troubleshooting steps that you can foresee. If you know beforehand what issues

doc/integration/omniauth.md

@@ -324,3 +324,7 @@ of the OmniAuth users has admin permissions.
 
 You may also bypass the auto signin feature by browsing to
 `https://gitlab.example.com/users/sign_in?auto_sign_in=false`.
+
+## Passwords for users created via OmniAuth
+
+The [Generated passwords for users created through integrated authentication](../security/passwords_for_integrated_authentication_methods.md) guide provides an overview of how GitLab generates and sets passwords for users created via OmniAuth.

doc/integration/saml.md

@@ -584,6 +584,10 @@ These attributes define the SAML user. If users can change these attributes, the
 
 Refer to the documentation for your SAML Identity Provider for information on how to fix these attributes.
 
+## Passwords for users created via SAML
+
+The [Generated passwords for users created through integrated authentication](../security/passwords_for_integrated_authentication_methods.md) guide provides an overview of how GitLab generates and sets passwords for users created via SAML.
+
 ## Troubleshooting
 
 You can find the base64-encoded SAML Response in the [`production_json.log`](../administration/logs.md#production_jsonlog).

doc/security/README.md

@@ -7,6 +7,7 @@ type: index
 
 - [Password storage](password_storage.md)
 - [Password length limits](password_length_limits.md)
+- [Generated passwords for users created through integrated authentication](passwords_for_integrated_authentication_methods.md)
 - [Restrict SSH key technologies and minimum length](ssh_keys_restrictions.md)
 - [Rate limits](rate_limits.md)
 - [Webhooks and insecure internal web services](webhooks.md)

doc/security/passwords_for_integrated_authentication_methods.md

+---
+type: reference
+---
+
+# Generated passwords for users created through integrated authentication
+
+GitLab allows users to set up accounts through integration with external [authentication and authorization providers](../administration/auth/README.md).
+
+These authentication methods do not require the user to explicitly create a password for their accounts.
+However, to maintain data consistency, GitLab requires passwords for all user accounts.
+
+For such accounts, we use the [`friendly_token`](https://github.com/heartcombo/devise/blob/f26e05c20079c9acded3c0ee16da0df435a28997/lib/devise.rb#L492) method provided by the Devise gem to generate a random, unique and secure password and sets it as the account password during sign up.
+
+The length of the generated password is the set based on the value of [maximum password length](password_length_limits.md#modify-maximum-password-length-using-configuration-file) as set in the Devise configuation. The default value is 128 characters.

doc/user/group/saml_sso/index.md

@@ -301,6 +301,10 @@ Group SAML on a self-managed instance is limited when compared to the recommende
           - { name: 'group_saml' }
     ```
 
+## Passwords for users created via SAML SSO for Groups
+
+The [Generated passwords for users created through integrated authentication](../../../security/passwords_for_integrated_authentication_methods.md) guide provides an overview of how GitLab generates and sets passwords for users created via SAML SSO for Groups.
+
 ## Troubleshooting
 
 This section contains possible solutions for problems you might encounter.