doc/administration/settings/sign_in_restrictions.md
{{< details >}}
{{< /details >}}
Use sign-in restrictions to customize authentication restrictions for web interfaces, and Git over HTTP(S).
Prerequisites:
This setting is enabled by default. When disabled, users are unable to use the standard sign-in screen, and must use an external authentication provider instead. This also disables using passkeys for two-factor authentication.
To allow password and passkey authentication for the web interface:
[!note] In the event of an outage with your external authentication provider, use the GitLab Rails console to re-enable the standard web sign-in form. You can also use the Application settings API to configure the
password_authentication_enabled_for_websetting.
This setting is enabled by default. When disabled, users must authenticate with a personal access token or LDAP password.
To allow password authentication for Git over HTTP(S):
Organizations might want to restrict SSO users from signing in with passwords or passkeys, and require them to use their external authentication provider instead. This restricts password authentication for both the web interface and Git over HTTP(S), and passkey authentication for the web interface. Passkeys can never be used with Git over HTTP(S).
To disable password and passkey authentication for users with an SSO identity:
You can require users to register a two-factor authentication (2FA) method for their account.
This requires all users, including administrators, to register a 2FA method.
To enforce two-factor authentication for all users:
0 to enforce registration at the next sign in.This requires only administrators to register a 2FA method. This also includes users with custom admin roles.
To enforce two-factor authentication for administrators:
0 to enforce registration at the next sign in.If you're an administrator, you might want to work in GitLab without administrator access. You could either create a separate user account that does not have administrator access or use Admin Mode.
With Admin Mode, your account does not have administrator access by default. You can continue to access groups and projects you're a member of. However, for administrative tasks, you must authenticate (except for certain features).
When Admin Mode is enabled, it applies to all administrators on the instance.
When Admin Mode is enabled for an instance, administrators:
Administrators can enable Admin Mode though the API, the Rails console, or the UI.
Make the following request to your instance endpoint:
curl --request PUT --header "PRIVATE-TOKEN:$ADMIN_TOKEN" "<gitlab.example.com>/api/v4/application/settings?admin_mode=true"
Replace <gitlab.example.com> with your instance URL.
For more information, see the list of settings that can be accessed through API calls.
{{< details >}}
{{< /details >}}
Open the Rails console and run the following:
::Gitlab::CurrentSettings.update!(admin_mode: true)
To enable Admin Mode through the UI:
To turn on Admin Mode for your current session and access potentially dangerous resources:
/admin in the URL (which requires administrator access).When Admin Mode status is disabled or turned off, administrators cannot access resources unless
they've been explicitly granted access. For example, administrators get a 404 error
if they try to open a private group or project, unless they are members of that group or project.
2FA should be enabled for administrators. 2FA, OmniAuth providers, and LDAP authentication are supported by Admin Mode. Admin Mode status is stored in the current user session and remains active until either:
{{< history >}}
show_admin_mode_within_active_sessions. Disabled by default.show_admin_mode_within_active_sessions removed.{{< /history >}}
Go to your list of active sessions:
Sessions which have Admin Mode turned on display the text Signed in on date of session with Admin Mode.
To turn off Admin Mode for your current session:
Admin Mode times out after six hours, and you cannot change this timeout limit.
The following access methods are not protected by Admin Mode:
In other words, administrators who are otherwise limited by Admin Mode can still use Git clients without additional authentication steps.
To use the GitLab REST- or GraphQL API, administrators must create a personal access token or OAuth token with the admin_mode scope.
If an administrator with a personal access token with the admin_mode scope loses their administrator access, that user cannot access the API as an administrator even though they still have the token with the admin_mode scope.
For more information, see epic 2158.
Also, when GitLab Geo is enabled, you can't view the replication status of projects and designs while on a secondary node. A fix is proposed when projects (issue 367926) and designs (issue 355660) move to the new Geo framework.
If necessary, you can disable Admin Mode as an administrator by using one of these two methods:
API:
curl --request PUT --header "PRIVATE-TOKEN:$ADMIN_TOKEN" "<gitlab-url>/api/v4/application/settings?admin_mode=false"
::Gitlab::CurrentSettings.update!(admin_mode: false)
When enabled, GitLab notifies users of sign-ins from unknown IP addresses or devices. For more information, see Email notification for unknown sign-ins.
{{< history >}}
{{< /history >}}
All users that are not logged in are redirected to the page represented by the configured Home page URL if value is not empty.
All users are redirected to the page represented by the configured Sign-out page URL after sign out if value is not empty.
To add a help message to the sign-in page, customize your sign-in and register pages.
{{< details >}}
{{< /details >}}
Re-enable the standard username and password-based sign-in form if it was disabled as a Sign-in restriction.
You can use this method through the rails console when a configured external authentication provider (through SSO or an LDAP configuration) is facing an outage and direct sign-in access to GitLab is required.
Gitlab::CurrentSettings.update!(password_authentication_enabled_for_web: true)