I have enabled saml omniauth and can successfully use saml for authentication.
I have wanted to enable omniauth_auto_sign_in_with_provider = ‘saml’ and it works for those with existing accounts, however a user without an existing account gets a 422 error and it goes around in circles - no page to register.
I understand that if I turn off omniauth_auto_sign_in_with_provider then the option becomes available and the user can register and confirm with email and then use the saml button, but this is not preferred as it would mean a user could use a non-organizational email (although this can be deterred by limiting the acceptable domains).
So I have something that is OK, but I’m still wanting to enable omniauth_auto_sign_in_with_provider as it “should” work.
This is what is registered in /var/log/gitlab/gitlab-rails/application.log"
2022-12-01T04:08:49.571Z: (saml) Request phase initiated.
2022-12-01T04:08:50.563Z: (saml) Callback phase initiated.
2022-12-01T04:08:50.706Z: (SAML) Error saving user user@org (): ["Email can't be blank", "Email is not allowed for sign-up. Please use your regular email address. Check with y
our administrator."]
This is the relevant config (auto_sign_on is commented out at the moment):
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
### gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
gitlab_rails['omniauth_sync_profile_from_provider'] = 'saml'
gitlab_rails['omniauth_sync_profile_attributes'] = ['name', 'email']
# gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_ldap_user'] = true
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_auto_link_user'] = 'saml'
# gitlab_rails['omniauth_external_providers'] = ['twitter', 'google_oauth2']
# gitlab_rails['omniauth_allow_bypass_two_factor'] = ['google_oauth2']
gitlab_rails['omniauth_providers'] = [
{
name: "saml",
label: "Organizaion-SSO-SAML", # optional label for login button, defaults to "Saml"
args: {
assertion_consumer_service_url: 'https://gitlab-ce.org/users/auth/saml/callback',
idp_cert_fingerprint: 'XX:XX:73:D0:41:57:XX:XX:XX:XX:33:6B:F2:6E:4A:7A:54:54:2E:XX',
idp_sso_target_url: 'https://authenticate.az.org/adfs/ls/',
issuer: 'https://gitlab-ce.org',
attribute_statements: { email: ['emailaddress'],
name: ['name'],
first_name: ['givenname'],
last_name: ['surname'],
nickname: ['name'],
},
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
}
}
]
I have checked using the browser saml debug plugin and the attribute mapping correlates.
- What version are you on (Hint:
/help) ? and are you using self-managed or gitlab.com?
Version is Gitlab 15.6 with mattermost - omnibus on sles 15
Its driving me a bit bats as everything looks like it should work.
Craig