Google Workspace SSO

Unable to login with Google SSO

I recently had configured Google Workspace SSO for my self-managed GitLab, but when i tried to login, it shows me Email can’t be blank as per this screenshot

Screenshot 2024-07-04 at 10.36.56 AM779×560 20.1 KB

Configuration

gitlab_rails['omniauth_providers'] = [
  {
    name: "saml",
    label: "Google Workspace Login",
    args: {
 assertion_consumer_service_url: "XXX"
idp_cert_fingerprint: "XXX",
 idp_sso_target_url: "https://accounts.google.com/o/saml2/idp?idpid=XXX",
 issuer: "XXX",
 name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
 attribute_statements: {
        email: ['emailAddress']
      }
    }
  }
]

This is my configuration. And also i had verified that the SamL Response consist of this value.

<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">XXX</saml2:NameID>

Versions

Please select whether options apply, and add the version information.

• Self-managed
• GitLab.com SaaS

Versions

• GitLab 16.8

The NameID mapping looks correct, following the documentation and troubleshooting guides.

I would suspect that the provided emailAddress attribute is empty on the Google Workspace side. I’ve found a use case where the SSO user was logged in as admin, thus not having an email address attribute. SAML response email blank when in fact the SAML response does contain the email and mapped with attribute_statements (#333847) · Issues · GitLab.org / GitLab · GitLab Maybe this is the case here as well. I’d recommend

1. Review the SAML debugging tools if they bring up more insights.
2. Clearing all sessions (close browser windows, test in a different browser)
3. Creating a temporary new test user in the Google workspace and test whether the login still fails.
4. Checking the Google Workspace for SAML log events SAML log events - Google Workspace Admin Help