Sign-in restrictions (FREE SELF)

You can use Sign-in restrictions to customize authentication restrictions for web interfaces as well as Git over HTTP(S).

Settings

To access sign-in restriction settings:

  1. On the top bar, select Main menu > Admin.
  2. On the left sidebar, select Settings > General.
  3. Expand the Sign-in restrictions section.

Password authentication enabled

You can restrict the password authentication for web interface and Git over HTTP(S):

In the event of an external authentication provider outage, use the GitLab Rails console to re-enable the standard web sign-in form. This configuration can also be changed over the Application settings REST API while authenticating with an administrator account's personal access token.

Admin Mode

Introduced in GitLab 13.10.

When this feature is enabled, instance administrators are limited as regular users. During that period, they do not have access to all projects, groups, or the Admin Area menu.

To access potentially dangerous resources, an administrator can activate Admin Mode by:

  • Selecting the Enable Admin Mode button
  • Trying to access any part of the UI that requires administrator access, specifically those which call /admin endpoints.

The main use case allows administrators to perform their regular tasks as a regular user, based on their memberships, without having to set up a second account for security reasons.

When Admin Mode status is disabled, administrative users cannot access resources unless they've been explicitly granted access. For example, when Admin Mode is disabled, they get a 404 error if they try to open a private group or project, unless they are members of that group or project.

2FA should be enabled for administrators and is supported for the Admin Mode flow, as are OmniAuth providers and LDAP auth. The Admin Mode status is stored in the active user session and remains active until it is explicitly disabled (it will be disabled automatically after a timeout otherwise).

Limitations of Admin Mode

The following access methods are not protected by Admin Mode:

  • Git client access (SSH using public keys or HTTPS using Personal Access Tokens).
  • API access using a Personal Access Token.

In other words, administrators who are otherwise limited by Admin Mode can still use Git clients, and access RESTful API endpoints as administrators, without additional authentication steps.

We may address these limitations in the future. For more information see the following epic: Admin Mode for GitLab Administrators.

Troubleshooting Admin Mode

If necessary, you can disable Admin Mode as an administrator by using one of these two methods:

  • API:

    curl --request PUT --header "PRIVATE-TOKEN:$ADMIN_TOKEN" "<gitlab-url>/api/v4/application/settings?admin_mode=false"
  • Rails console:

    ::Gitlab::CurrentSettings.update!(admin_mode: false)

Two-factor authentication

When this feature is enabled, all users must use the two-factor authentication.

After the two-factor authentication is configured as mandatory, users are allowed to skip forced configuration of two-factor authentication for the configurable grace period in hours.

Two-factor grace period

Email notification for unknown sign-ins

Introduced in GitLab 13.2.

When enabled, GitLab notifies users of sign-ins from unknown IP addresses or devices. For more information, see Email notification for unknown sign-ins.

Email notification for unknown sign-ins

Sign-in information

All users that are not logged in are redirected to the page represented by the configured Home page URL if value is not empty.

All users are redirected to the page represented by the configured After sign-out path after sign out if value is not empty.

In the Sign-in restrictions section, scroll to the Sign-in text field. You can add a custom message for your users in Markdown format.

For example, if you include the following information in the noted text box:

# Custom sign-in text

To access this text box:

1. On the top bar, select **Main menu > Admin**.
1. On the left sidebar, select **Settings > General**, and expand the **Sign-in restrictions** section.

Your users see the Custom sign-in text when they navigate to the sign-in screen for your GitLab instance.

Troubleshooting

Re-enable standard web sign-in form in rails console

Re-enable the standard username and password-based sign-in form if it was disabled as a Sign-in restriction.

You can use this method through the rails console when a configured external authentication provider (through SSO or an LDAP configuration) is facing an outage and direct sign-in access to GitLab is required.

Gitlab::CurrentSettings.update!(password_authentication_enabled_for_web: true)