I have set up a local installation of gitlab to use CAS authentication. The problem is that after I am authenticated from CAS and the control should pass back to gitlab, I get a 500 error.
My version of gitlab is:
GitLab: 13.5.2 (187cae1b32b)
GitLab Shell: 13.13.0
GitLab Workhorse: 8.51.0
GitLab API: v4
Ruby: 2.7.2p137
Rails: 6.0.3.3
PostgreSQL: 12.5
The relevant part of my gitlab.yml is:
omniauth:
# Allow login via Twitter, Google, etc. using OmniAuth providers
# enabled: true
# Uncomment this to automatically sign in with a specific omniauth provider's without
# showing GitLab's sign-in page (default: show the GitLab sign-in page)
# auto_sign_in_with_provider: saml
# Sync user's profile from the specified Omniauth providers every time the user logs in (default: empty).
# Define the allowed providers using an array, e.g. ["cas3", "saml", "twitter"],
# or as true/false to allow all providers or none.
# When authenticating using LDAP, the user's email is always synced.
# sync_profile_from_provider: []
# Select which info to sync from the providers above. (default: email).
# Define the synced profile info using an array. Available options are "name", "email" and "location"
# e.g. ["name", "email", "location"] or as true to sync all available.
# This consequently will make the selected attributes read-only.
# sync_profile_attributes: true
# CAUTION!
# This allows users to login without having a user account first. Define the allowed providers
# using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none.
# User accounts will be created automatically when authentication was successful.
allow_single_sign_on: ["cas3"]
# Locks down those users until they have been cleared by the admin (default: true).
block_auto_created_users: true
# Look up new users in LDAP servers. If a match is found (same uid), automatically
# link the omniauth identity with the LDAP account. (default: false)
auto_link_ldap_user: false
# Allow users with existing accounts to login and auto link their account via SAML
# login, without having to do a manual login first and manually add SAML
# (default: false)
auto_link_saml_user: false
# Allow users with existing accounts to sign in and auto link their account via OmniAuth
# login, without having to do a manual login first and manually add OmniAuth. Links on email.
# Define the allowed providers using an array, e.g. ["saml", "twitter"], or as true/false to
# allow all providers or none.
# (default: false)
auto_link_user: ["cas3"]
# Set different Omniauth providers as external so that all users creating accounts
# via these providers will not be able to have access to internal projects. You
# will need to use the full name of the provider, like `google_oauth2` for Google.
# Refer to the examples below for the full names of the supported providers.
# (default: [])
external_providers: []
# CAUTION!
# This allows users to login with the specified providers without two factor. Define the allowed providers
# using an array, e.g. ["twitter", 'google_oauth2'], or as true/false to allow all providers or none.
# This option should only be configured for providers which already have two factor.
# This configration dose not apply to SAML.
# (default: false)
allow_bypass_two_factor: ["twitter", 'google_oauth2']
## Auth providers
# Uncomment the following lines and fill in the data of the auth provider you want to use
# If your favorite auth provider is not listed you can use others:
# see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations
# The 'app_id' and 'app_secret' parameters are always passed as the first two
# arguments, followed by optional 'args' which can be either a hash or an array.
# Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html
providers:
# See omniauth-cas3 for more configuration details
- { name: 'cas3',
label: 'cas3,
args: {
url: 'https://MY_SSO_SERVER',
disable_ssl_verification: false,
#login_url: '/cas/login',
login_url: '/',
#service_validate_url: '/cas/p3/serviceValidate',
service_validate_url: '/p3/serviceValidate',
#logout_url: '/cas/logout'} }
logout_url: '/'} }
And in my production.log I get:
Started POST "/users/auth/cas3" for MY_IP_ADDR at 2020-12-07 19:42:41 +0200
Processing by Gitlab::RequestForgeryProtection::Controller#index as HTML
Parameters: {"authenticity_token"=>"[FILTERED]"}
Completed 200 OK in 1ms (ActiveRecord: 0.0ms | Elasticsearch: 0.0ms | Allocations: 105)
Started GET "/users/auth/cas3/callback?url=https%3A%2F%2Fgitlab.dit.uop.gr%2Fusers%2Fsign_in&ticket=ST-471070-Awum10Mkw4b3YKmfhCy3-MY_SSO_SERVER" for MY_IP_ADDR at 2020-12-07 19:43:01 +0200
NoMethodError (undefined method `merge' for nil:NilClass):
lib/gitlab/request_profiler/middleware.rb:17:in `call'
lib/gitlab/jira/middleware.rb:19:in `call'
lib/gitlab/middleware/go.rb:20:in `call'
lib/gitlab/etag_caching/middleware.rb:13:in `call'
lib/gitlab/middleware/multipart.rb:234:in `call'
lib/gitlab/middleware/handle_null_bytes.rb:19:in `call'
lib/gitlab/middleware/read_only/controller.rb:51:in `call'
lib/gitlab/middleware/read_only.rb:18:in `call'
lib/gitlab/middleware/same_site_cookies.rb:27:in `call'
lib/gitlab/middleware/basic_health_check.rb:25:in `call'
lib/gitlab/middleware/handle_ip_spoof_attack_error.rb:25:in `call'
lib/gitlab/middleware/request_context.rb:23:in `call'
config/initializers/fix_local_cache_middleware.rb:9:in `call'
lib/gitlab/metrics/requests_rack_middleware.rb:49:in `call'
lib/gitlab/middleware/release_env.rb:12:in `call'
(I replaced some data with MY_IP_ADDR and MY_SSO_SERVER.)
Can you help me debug this?