Gitlab - Omniauth CAS3 - error 422 (OAuth) Error saving user ["Email is invalid"]

Hi all,

I’ve been trying to setup gitlab ce with omniauth against our cas3 server (apereo)

the gitblab.rb :

gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['cas3']
gitlab_rails['omniauth_block_auto_created_users'] = false

gitlab_rails['omniauth_providers'] = [
      "name"=> "cas3",
      "label"=> "cas sign",
      "args"=> {
          "url"=> '',
          "login_url"=> '/cas/login',
          "service_validate_url"=> '/cas/p3/serviceValidate',
          "logout_url"=> '/cas/logout',

When i go to the sign_in page le “cas sign” shows, redirection to works fine, i can log on cas
then callback brings me back to gitlab and shows a 422 error

my logs
==> /var/log/gitlab/gitlab-rails/production.log <==
Started GET “/users/auth/cas3/callback?url=https%3A%2F%2Fgit…” for at 2021-01-12 11:55:40 +0100
Processing by OmniauthCallbacksController#cas3 as HTML
Parameters: {“url”=>“”, “ticket”=>“ST-177570-goIuVSIrLd68gMBkKAZGkKFVz0I-l144164”}

==> /var/log/gitlab/gitlab-rails/application.log <==
2021-01-12T10:55:40.575Z: (OAuth) Error saving user ( ["Email is invalid"]

after some searches … well i don’t really understand what could go wrong here …

a little bit of help will be greatly appreciated :slight_smile:



I have the same problem, I think the problem is that CAS username is actually the user email. So the auto-generated temporary email is not valid because it contain multiple @ characters.

I’m still searching how to avoid this on gitlab side.