All SSO users log in as myself

I am setting up LDAP and Azure OmniAuth on an on prem gitlab server. LDAP on its own worked correctly, after which I tried to add OpenId-connect SSO. Azure successfully authenticates all users in the logs, but when other users are redirected, they are logged in as me in gitlab. This is in the process of upgrading the gitlab server from 12.7. I would like to ask if anyone knows if this problem is version specific and finishing the migration will fix it or if it is a problem with the configuration.

Possibly relevant to this problem, when trying to use SSO the first time, users (including myself) get a red “Could not authenticate you from OpenIDConnect because “Invalid state parameter”” error, however attempting it a second time, they log in as me.

I have included a snippet of the config below.


gitlab_rails[‘ldap_enabled’] = true
gitlab_rails[‘prevent_ldap_sign_in’] = false

###! remember to close this block with ‘EOS’ below
gitlab_rails[‘ldap_servers’] = YAML.load <<-‘EOS’
main: # ‘main’ is the GitLab ‘provider ID’ of this LDAP server
label: ‘Sign In’
host: ‘<>’
port: <>
uid: ‘UserPrincipalName’
bind_dn: ‘<>l’
password: ‘<>’
encryption: ‘plain’ # “start_tls” or “simple_tls” or “plain”
verify_certificates: false
smartcard_auth: false
active_directory: true
allow_username_or_email_login: false
lowercase_usernames: true
block_auto_created_users: false
base: ‘<>’
user_filter: ‘<>’
## EE only
group_base: ‘’
admin_group: ‘’
sync_ssh_keys: false
username: ‘mailNickname’
email: ‘mail’
name: ‘name’
gitlab_rails[‘omniauth_enabled’] = true
gitlab_rails[‘omniauth_auto_link_ldap_user’] = true
gitlab_rails[‘omniauth_auto_link_user’] = [‘openid_connect’]
gitlab_rails[‘omniauth_block_auto_created_users’] = false
gitlab_rails[‘omniauth_auto_sign_in_with_provider’] = ‘openid_connect’
gitlab_rails[‘omniauth_allow_single_sign_on’] = [‘openid_connect’]
gitlab_rails[‘omniauth_providers’] = [
‘name’ => ‘openid_connect’,
‘label’ => ‘SSO’,
‘args’ => {
‘name’ => ‘openid_connect’,
‘scope’ => [‘openid’],
‘response_type’ => ‘code’,
‘issuer’ => ‘<>/v2.0’,
‘client_auth_method’ => ‘query’,
‘discovery’ => true,
‘uid_field’ => ‘userPrincipalName’,
‘client_options’ => {
‘identifier’ => ‘<>’,
‘secret’ => ‘<>’,
‘redirect_uri’ => ‘https://<>/users/auth/openid_connect/callback’

In Azure, the Redirect URI / Reply URL is the same as in the config