Problem in sync'ing email attributes with omniauth configuration enabled

Hi,

I have configured my gitlab instance with omniauth with azure_oauth2 provider. I want existing users to be bound with azure_oauth2 users if they have same email, but the email attribute seems not to be reflected in the gitlab users. For example:

user with sid johndoe@foo.com and email jdoe@bar.com

is created in gitlab as johndoe whose email is johndoe@foo.com.

After many attempts and tests I am using this configuration:

gitlab_rails['omniauth_allow_single_sign_on'] = ['azure_oauth2']
gitlab_rails['omniauth_sync_email_from_provider'] = ['azure_oauth2']
gitlab_rails['omniauth_sync_profile_from_provider'] = ['azure_oauth2']
gitlab_rails['omniauth_sync_profile_attributes'] = ['name', 'email', 'location']
#gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_ldap_user'] = true
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_auto_link_user'] = ['azure_oauth2']
#gitlab_rails['omniauth_external_providers'] = ['azure_oauth2']
#gitlab_rails['omniauth_allow_bypass_two_factor'] = ['azure_oauth2']
gitlab_rails['omniauth_providers'] = [
  {
    "name" => "azure_oauth2",
    "args" => {
      "client_id" => *******
      "client_secret" => *******
      "tenant_id" => ******
    }
  }

Since I indicated both email and location as the attributes to synchronize but I am not seeing any of them in the user profile I suppose that is the synchronization which is not carried out at all or fails. Unfortunately I am not seeing any clue in the logs.

Gitlab Version is 13.4.2-ee
Can anyone help me?

Thanks,
Fabio

Hi @fmarinetti
You can try use the v2 version Microsoft Azure OAuth2 OmniAuth Provider V2| GitLab

I guess from your configuration you have LDAP and SAML configured as well?

Thanks for your response @balonik

actually seems it is not supported in the version I am using. I looked at the specific documentation of my version and that kind of provider is not mentioned.

Regards.

Right, I am sorry. It seems it is available from 13.9.

You can look in gitlab-rails/production.log to see if there is some info regarding the user login. At least for SAML it logs full SAMLResponse so at least I can see what attributes/values are coming back. Just to confirm that Azure AD is sending the right attributes/values.

You can also look in the User’s details and see whats under ‘Identities’ tab of the user. And maybe try to add New Identity to existing user manualy.

@balonik

I don’t see anything in logs, I looked at the gitlab-rails/production.log but nothing appeared.
Is there any trace flag or trace level I have to set for catching SAML calls?

Thanks in advance.