Hello,
I am working for several days on Gitlab integration with ADFS.
I have read this documentation and here is my Gitlab settings :
external_url 'https://git-pr01.domain.be' gitlab_rails['omniauth_enabled'] = true gitlab_rails['omniauth_allow_single_sign_on'] = ['saml'] gitlab_rails['omniauth_block_auto_created_users'] = false gitlab_rails['omniauth_auto_link_saml_user'] = true gitlab_rails['omniauth_providers'] = [ { name: 'saml', args: { assertion_consumer_service_url: 'https://git-pr01.domain.be/users/auth/saml/callback', idp_cert_fingerprint: '76:63:cd:51:2c:87:fd:d6:84:8d:cb:90:d5:ec:cd:6d:bf:3c:eb:2a', idp_sso_target_url: 'https://fs.domain.be/adfs/ls', issuer: 'https://git-pr01.domain.be', name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' }, label: 'SSO login' # optional label for SAML login button, defaults to "Saml" } ]
I used this metadata XML file to set up the Relying Party Trust : https://git-pr01.domain.be/users/auth/saml/metadata
But I don’t know what Claim rules add in ADFS.
Does anyone have already linked Gitlab with ADFS for SSO authentication ?
Here is the error :
`The SAML authentication request had a NameID Policy that could not be satisfied.
Requestor: https://gitlab.domain.test
Name identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
SPNameQualifier:
Exception details:
MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: . Actual NameID properties: Format: , NameQualifier: SPNameQualifier: , SPProvidedId: .
This request failed.
User Action
Use the AD FS Management snap-in to configure the configuration that emits the required name identifier.`
Could you help me please ?
Thanks a lot in advance