SAML SSO with custom idp

Hello,
I would like to add gitlab as SP with our custom ipd for SSO. I use a self managed Gitlab server.
This is my gitlab.rb config for SAML

gitlab_rails[‘omniauth_allow_single_sign_on’] = [‘saml’]
gitlab_rails[‘omniauth_auto_sign_in_with_provider’] = ‘saml’
gitlab_rails[‘omniauth_block_auto_created_users’] = false
gitlab_rails[‘omniauth_auto_link_saml_user’] = true
gitlab_rails[‘omniauth_providers’] = [
{
name: ‘saml’,
args: {
assertion_consumer_service_url: ‘https://gitlab.examplepage.net/users/auth/saml/callback’,
idp_cert: ‘-----BEGIN CERTIFICATE-----XXX-----END CERTIFICATE-----’,
idp_sso_target_url: ‘https://gitlab.examplepage.net/saml/idp/profile/redirectorpost/sso’,
issuer: ‘https://gitlab.examplepage.net’,
name_identifier_format: ‘urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified’,
attribute_statements: { email: [‘E-Mail’] },
security: {
authn_requests_signed: true, # enable signature on AuthNRequest
want_assertions_signed: true, # enable the requirement of signed assertion
#embed_sign: true, # embedded signature or HTTP GET parameter signature
#metadata_signed: false, # enable signature on Metadata
signature_method: ‘xmldsig-more namespace’,
digest_method: ‘http://www.w3.org/2001/04/xmlenc#sha256’,
},
},
label: ‘SSO Button’ # optional label for SAML login button, defaults to “Saml”

Do I need to enable omniauth? → #gitlab_rails[‘omniauth_enabled’] = nil

Can I use idp_cert or do I need to use idp_cert_fingerprint (in other applications I use x509 cert)?

Can I add multiple attribute_statements like this e.g.:
attribute_statements: { email: [‘E-Mail’] , nickname: [‘nameid’] },

Can I add a saml sso issuer format?

At the moment the error is: " Could not authenticate you from SAML because “The status code of the response was not success, was requester → invalid message signature”.
Is this a problem from idp or sp?

Thank you for any help :slight_smile:

I could fix the invalid message signature by adding the correct idp_cert and signing the request.
Still the nameID attribute is empty and I could not find a answer for this: