A little discussion in D11707. I'll do the cleanup I mentioned in a sec.

In the Phacility cluster, we'll currently show this warning on instances, because approvals will be off by default and there will be no email domain restriction. This might be confusing to users. One way to fix this would be to add a new flag to provider configs (similar to the auto-login flag) along the lines of:

• Private Provider: This authentication provider is private and has access controls. This option silences warnings about authentication being too open, provided all configured providers are private.

I'm not sure if that's clear enough in the general case. It should only be possible to set this flag for LDAP and Phabricator OAuth today (in the future, when GitHub supports GitHub Enterprise, it could also support the flag).

I'm not sure if this is worth the effort, though. We could wait until a user gets confused.