Gitlab integration with SAML ADFS

Hello,

I am working for several days on Gitlab integration with ADFS.
I have read this documentation and here is my Gitlab settings :

external_url 'https://git-pr01.domain.be' gitlab_rails['omniauth_enabled'] = true gitlab_rails['omniauth_allow_single_sign_on'] = ['saml'] gitlab_rails['omniauth_block_auto_created_users'] = false gitlab_rails['omniauth_auto_link_saml_user'] = true gitlab_rails['omniauth_providers'] = [ { name: 'saml', args: { assertion_consumer_service_url: 'https://git-pr01.domain.be/users/auth/saml/callback', idp_cert_fingerprint: '76:63:cd:51:2c:87:fd:d6:84:8d:cb:90:d5:ec:cd:6d:bf:3c:eb:2a', idp_sso_target_url: 'https://fs.domain.be/adfs/ls', issuer: 'https://git-pr01.domain.be', name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' }, label: 'SSO login' # optional label for SAML login button, defaults to "Saml" } ]

I used this metadata XML file to set up the Relying Party Trust : https://git-pr01.domain.be/users/auth/saml/metadata
But I don’t know what Claim rules add in ADFS.
Does anyone have already linked Gitlab with ADFS for SSO authentication ?

Here is the error :
`The SAML authentication request had a NameID Policy that could not be satisfied.
Requestor: https://gitlab.domain.test
Name identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
SPNameQualifier:
Exception details:
MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: . Actual NameID properties: Format: , NameQualifier: SPNameQualifier: , SPProvidedId: .

This request failed.

User Action
Use the AD FS Management snap-in to configure the configuration that emits the required name identifier.`

Could you help me please ?

Thanks a lot in advance

1 Like

First you need to créate RP on ADFS.

To ease configuration, most IdP accept a metadata URL for the application to provide configuration information to the IdP. To build the metadata URL for GitLab, append users/auth/saml/metadata to the HTTPS URL of your GitLab installation, for instance:
https://gitlab.example.com/users/auth/saml/metadata

…then help me to complete claim rules
https://blogs.msdn.microsoft.com/card/2010/02/17/name-identifiers-in-saml-assertions/
You need to add “Persistent name identifier”