Omniauth saml fails to create users - email blank

I have enabled saml omniauth and can successfully use saml for authentication.

I have wanted to enable omniauth_auto_sign_in_with_provider = ‘saml’ and it works for those with existing accounts, however a user without an existing account gets a 422 error and it goes around in circles - no page to register.

I understand that if I turn off omniauth_auto_sign_in_with_provider then the option becomes available and the user can register and confirm with email and then use the saml button, but this is not preferred as it would mean a user could use a non-organizational email (although this can be deterred by limiting the acceptable domains).

So I have something that is OK, but I’m still wanting to enable omniauth_auto_sign_in_with_provider as it “should” work.

This is what is registered in /var/log/gitlab/gitlab-rails/application.log"

2022-12-01T04:08:49.571Z: (saml) Request phase initiated.
2022-12-01T04:08:50.563Z: (saml) Callback phase initiated.
2022-12-01T04:08:50.706Z: (SAML) Error saving user user@org (): ["Email can't be blank", "Email is not allowed for sign-up. Please use your regular email address. Check with y
our administrator."]

This is the relevant config (auto_sign_on is commented out at the moment):

gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
### gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
gitlab_rails['omniauth_sync_profile_from_provider'] = 'saml'
gitlab_rails['omniauth_sync_profile_attributes'] = ['name', 'email']
# gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_ldap_user'] = true
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_auto_link_user'] = 'saml'
# gitlab_rails['omniauth_external_providers'] = ['twitter', 'google_oauth2']
# gitlab_rails['omniauth_allow_bypass_two_factor'] = ['google_oauth2']
gitlab_rails['omniauth_providers'] = [
    name: "saml",
    label: "Organizaion-SSO-SAML", # optional label for login button, defaults to "Saml"
    args: {
      assertion_consumer_service_url: '',
      idp_cert_fingerprint: 'XX:XX:73:D0:41:57:XX:XX:XX:XX:33:6B:F2:6E:4A:7A:54:54:2E:XX', 
      idp_sso_target_url: '', 
      issuer: '',
      attribute_statements: { email: ['emailaddress'],
                              name: ['name'],
                              first_name: ['givenname'],
                              last_name: ['surname'],
                              nickname: ['name'], 
      name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'

I have checked using the browser saml debug plugin and the attribute mapping correlates.

  • What version are you on (Hint: /help) ? and are you using self-managed or

Version is Gitlab 15.6 with mattermost - omnibus on sles 15

Its driving me a bit bats as everything looks like it should work.


I Need to add that the user does need to activate/link saml in their profile once they have created a login account for saml to work. This is a bit clunky (another reason to want to get it to work