SAML fails when mail or email claims aren't provided
I have GitLab CE 7.12 (Omnibus) installed on an Ubuntu 14.04 64-bit VM. I have been trying unsuccessfully to set up SAML authentication for my users. I've tried both Azure AD and OneLogin as my IDP, and both services correctly allow a user to login, but upon redirection back to the callback URL, gitlab throws a 500 error. The only details I see in the log are:
Completed 500 Internal Server Error in 285ms (ActiveRecord: 31.8ms)
SystemStackError (stack level too deep):
activerecord (4.1.11) lib/active_record/connection_adapters/abstract/connection_pool.rb:629
I have the following set up in the gitlab.rb:
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = true
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_providers'] = [
{
"name" => "saml",
"args" =>
{
"assertion_consumer_service_url" => "https://gitlab.###########.com/users/auth/saml/callback",
#"issuer" => "https://gitlab.#########.com",
"issuer" => "https://app.onelogin.com/saml/metadata/########",
"idp_sso_target_url" => "https://###########.onelogin.com/trust/saml2/http-post/sso/##########",
"idp_cert_fingerprint" => "###########",
"name_identifier_format" => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
}
}
]
If I set omniauth_allow_single_sign_on to false, I get a different error saying that the user cannot login without first creating a gitlab user and linking the account. I don't see anywhere in the UI to accomplish that linking however (looks like someone else reported this).
Any help is very much appreciated!