I have installed gitlab 10.2.5 in ubuntu 16.04 and trying to integrate with saml - adfs.
I configured in /etc/gitlab/gitlab.rb as below:
gitlab_rails[‘omniauth_enabled’] = true
gitlab_rails[‘omniauth_allow_single_sign_on’] = [‘saml’]
gitlab_rails[‘omniauth_auto_link_ldap_user’] = true
gitlab_rails[‘omniauth_block_auto_created_users’] = false
gitlab_rails[‘omniauth_auto_link_saml_user’] = true
gitlab_rails[‘omniauth_providers’] = [
{
name: ‘saml’,
args: {
assertion_consumer_service_url: ‘https://wosggitlab.example.com/users/auth/saml/callback’,
idp_cert_fingerprint: ‘b3:0d:ab:3c:ce:cd:87:3b:f6:f0:dd:d5:4d:a7:88:3e:e4:e6:c6:2a’,
idp_sso_target_url: ‘https://adfs.example.com/adfs/ls’,
debug: ‘true’,
allowed_clock_drift: 300,
issuer: ‘urn:devwosggitlab:adfs-test’,
name_identifier_format: ‘urn:oasis:names:tc:SAML:2.0:nameid-format:emailaddress’,
attribute_statements: { email: [‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress’] }
},
label: ‘gitlab adfs’ # optional label for SAML login button, defaults to “Saml”
}
]
If i try ADFS login, it going to adfs login page and after successful authentication in adfs it is again redirecting back to gitlab login page.
In production.log is as below:
Started GET “/-/metrics” for 127.0.0.1 at 2018-01-17 10:11:24 +0530
Processing by MetricsController#index as HTML
Completed 200 OK in 5ms (Views: 4.2ms | ActiveRecord: 0.0ms)
Started POST “/users/auth/saml” for 10.201.51.136 at 2018-01-17 10:11:27 +0530
Processing by Gitlab::RequestForgeryProtection::Controller#index as HTML
Parameters: {“authenticity_token”=>“[FILTERED]”}
Completed 200 OK in 0ms (ActiveRecord: 0.0ms)
Started POST “/users/auth/saml/callback” for 10.201.51.136 at 2018-01-17 10:11:28 +0530
Processing by OmniauthCallbacksController#failure as HTML
Parameters: {“SAMLResponse”=>“PHNhbWxwOlJlc3B…”}
Can’t verify CSRF token authenticity
Redirected to https://wosggitlab.example.com/users/sign_in
Completed 302 Found in 10ms (ActiveRecord: 0.0ms)
Then i made a change in /opt/gitlab/embedded/service/gitlab-rails/app/controllers/omniauth_callbacks_controller.rb as below:
To bypass this you can add skip_before_action :verify_authenticity_token to the omniauth_callbacks_controller.rb file immediately after the class line and comment out the protect_from_forgery line using a # then restart Unicorn.
Then log is as below:
Started POST “/users/auth/saml” for 10.201.51.136 at 2018-01-17 11:35:04 +0530
Processing by Gitlab::RequestForgeryProtection::Controller#index as HTML
Parameters: {“authenticity_token”=>“[FILTERED]”}
Completed 200 OK in 0ms (ActiveRecord: 0.0ms)
Started POST “/users/auth/saml/callback” for 10.201.51.136 at 2018-01-17 11:35:05 +0530
Processing by OmniauthCallbacksController#failure as HTML
Parameters: {“SAMLResponse”=>“PHNhbWxwOlJlc3B…”}
Redirected to https://wosggitlab.example.com/users/sign_in
Completed 302 Found in 11ms (ActiveRecord: 0.0ms)
Started GET “/users/sign_in” for 10.201.51.136 at 2018-01-17 11:35:05 +0530
Processing by SessionsController#new as HTML
Completed 200 OK in 160ms (Views: 103.7ms | ActiveRecord: 4.0ms)
But still issue is there, after successful login in ADFS page it is again redirecting back to gitlab login page
Is anything i am missing in settings?