Hi,
we currently have linked our Gitlab With SAML to our ADFS server, SSO seems to be working fine but sometimes a user is unable to login and gets a 422 error omniauth error and is redirected to :
https://git.example.com/users/auth/saml/omniauth_error?error=Identities+extern+uid+has+already+been+taken+and+Identities+user+has+already+been+taken.
The only way for to fix this issue is to remove the identifier under the user account in GIT.
In our application log we see:
August 21, 2017 08:01: (SAML) Error saving user --Unique identifier code-- (user@domain.com): [“Identities user has already been taken”]
When I compare the unique identifier with the identifier already saved under the user account in GIT I can see a new different identifier is created.
I have set the following Claim rules under my RP in ADFS :
1: persistent name identifier (custom claim rule)
c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”]
=> add(store = “_OpaqueIdStore”, types = (“http://mycompany/internal/persistentId”), query = “{0};{1};{2}”, param = “ppid”, param = c.Value, param = c.OriginalIssuer);
rule 2:
Rule 3:
This is all configured according to Microsoft recommend settings regarding SAML persistent identifiers.
Has anyone experienced this issue? maybe some knows a different custom rule to create the persistent Name ID not using PPID.
As far as I know the custom rule is creating a name ID based on the SAM Account name and PPID and that should not change but for some reason it does change.
If some uses a different custom rule could you share this, because everywhere online where I look the PPID is used for SAML <> ADFS link.