When creating or editing a user account, the admins should have the ability to say "This account can only authenticate using this particular GLOBUS identity provider".
To make this work, when the flag is set, the user will be forced to link their account until they can proceed, a bit like for the 'password reset flag'. And when the link is established, the login with password option will be disabled by resetting the user's password to a totally random string.
Check how that interacts with the "password reset form" too. Maybe disable it with an error message?
When creating or editing a user account, the admins should have the ability to say "This account can only authenticate using this particular GLOBUS identity provider".
To make this work, when the flag is set, the user will be forced to link their account until they can proceed, a bit like for the 'password reset flag'. And when the link is established, the login with password option will be disabled by resetting the user's password to a totally random string.
Check how that interacts with the "password reset form" too. Maybe disable it with an error message?