Bypass Email Verification using Salesforce -- Reproducible in gitlab.com

### Summary The salesforce login integration allows attacker to bypass email verification -- user is able to signup with any email domain they want, effectively bypass all email domain whitelist/blacklist restriction or any other 3rd party using gitlab instance's email address. It is possible because salesforce allow admin to create user with arbitrary email, and I believe this is what gitlab engineer forgot to consider while implementing salesforce integration. Please follow along to see how I was able to create an account `███████` in gitlab.com ### Steps to reproduce - Visit https://bugcrowd-ngalog-3.oktapreview.com/ - Enter creds `██████████`:`██████████` - Click salesforce to login salesforce - Open new tab and visit https://gitlab.com/users/sign_in - Click login with salesforce - you will be logged in as `████` by visiting `https://gitlab.com/profile/emails` ### Impact Bypass email domain restriction and able to signup with arbitrary email domain ### What is the current *bug* behavior? Able to signup with any email domain ### What is the expected *correct* behavior? should need email verification ### Relevant logs and/or screenshots {F511255} ## Impact described above