Limit registration to SSO only?

It seems like if disable-registration flag is used, new users won’t be created w/ OIDC login. Is there a way to disable direct registration, but still allow for new users to be registered through OIDC? The users don’t all have a consistent email domain, so I can’t artificially do this w/ PENPOT_REGISTRATION_DOMAIN_WHITELIST.

Looks like a nice enhancement. I have created the US for it: Taiga

1 Like

After looking on the code, looks like it how it works right now.

I have tested it, creating a new clear instance, enable google auth (is the same code as generic OIDC) and disable registration. And registration of new users via OIDC worked as expected.

There are a single line of code that checks the registration flag in the codebase and it is in the normal registration path. So it should work as expected. If you think this does not works or you have more related issues, consider open an issue in github with more details and we try to look o it.

Hey @niwinz ,

I have the same problem as the original author - using Gitlab Auth; with disabled registration (disable-login disable-registration enable-login-with-gitlab) - and I cannot get the single signon to work.

When I enable registration, it will work properly, but this will also enable “generic” registration which I do not want.

How can I somehow increase the backend logging level to give more details about the problem?

All the best and thanks for your work <3

Hey @niwinz and @alyx ,

I found a workaround which works I guess:

  • keep registration enabled, by setting PENPOT_FLAGS: "disable-login enable-login-with-gitlab"
  • set PENPOT_REGISTRATION_DOMAIN_WHITELIST to a subdomain which you own, but which does not contain any email addresses. This way, email registrations can never succeed.

All the best, and keep up the good work,