Below is my gitlab.rb
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
args: {
assertion_consumer_service_url: 'http://127.0.0.1/users/auth/saml/callback',
idp_cert_fingerprint: 'F9:9F:73:9D:86:69:16:D2:12:9C:9F:B1:98:D6:3D:1C:59:42:DB:BC',
idp_sso_target_url: 'https://dev-xxx.xxx.com/app/sso/bbbe3396-8529-4ab0-a5ea-f48d8b67c295',
issuer: 'https://www.xxx.com/bbbe3396-8529-4ab0-a5ea-f48d8b67c295',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
attribute_statements: { email: ['urn:oid:1.3.6.1.4.1.5923.1.1.1.6'] }
},
label: 'saml' # optional label for SAML login button, defaults to "Saml"
}
]
I have a app name MyIdp and my account email test_one@gmail.com, then use gitlab as sp. then I found a strange thing
below are my steps:
- assign gitlab to test_one@gmail.com, which not registered in gitlab
- then login in gitlab from MyIdp, it will be ok and gitlab will create new user which email is test_one@gmail.com
- login out gitlab , login in with test_two@gmail.com which have registered, then login in gitlab from MyIdp, now
The mailbox displayed by gitlab is test_two@gmail.com instead of test_one@gmail.com
The correct situation should be that gitlab displays the mailbox passed by idp instead of an account that has already logged into gitlab.
Am i miss something or the saml of gitlab is just like this? Can anyone help?