"New Login" email offers password reset for SAML users

[northrup]

I would expect that when a user account is associated with an external authentication mechanism like SAML, that the "new login" security email would not offer them a link to reset their password in Zulip.

Zulip Server and web app version:

• [ ] Zulip Cloud (*.zulipchat.com)
• [x] Zulip Server 8.0+
• [ ] Zulip Server 7.0+
• [ ] Zulip Server 6.0+
• [ ] Zulip Server 5.0 or older
• [ ] Other or not sure

[timabbott]

Thanks for the report @northrup! This does indeed seem to be a quirk of the language, which is not conditional on what authentication methods are involved.

If you do not recognize this login, or think your account may have been compromised, please reset your password at {{ reset_link }} or contact us immediately at {{ support_email }}.

The best overall fix is to complete #17939 and the related cluster of work, such that we'd be able to just have a better recommendation for everyone on steps to take if they believe their account was compromised.

But I think we could close out this issue by changing the language to link to a /help/ guide on how to deal with a potentially compromised account, which can evolve over time as things like #17939 are completed.

[zulipbot]

Hello @zulip/server-authentication members, this issue was labeled with the "area: authentication" label, so you may want to check it out!