Linking SAML account with LDAP account automatically fails
I'm using CentOS 6.6 and gitlab-omnibus Community Edition from the CentOS yum repository version 7.12.2. I have successfully implemented LDAP auth and SAML auth using ominauth. Initially all users logged in and created their accounts through ldap. Now I want them to be able to log in over SAML. The configuration parameter omniauth_auto_link_ldap_user doesn't link accounts coming in through saml to accounts that were previously created using LDAP.
Here is my gitlab.rb entries for SAML:
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = true
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_ldap_user'] = true
gitlab_rails['omniauth_providers'] = [
{
"name" => "saml",
args: {
issuer: 'https://gitlab.domain.com',
assertion_consumer_service_url: 'https://gitlab.domain.com/users/auth/saml/callback',
idp_cert_fingerprint: '####################',
idp_sso_target_url: 'https://sso.domain.com/adfs/ls/',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
}
}
]If I disable omniauth_auto_sign_in_with_provider, then users can log in over ldap, go to their profile, then accounts settings and manually link the two accounts together. I want gitlab to automatically link them together.
I see that omniauth_auto_sign_in_with_provider uses a field called extern_uid to verify if they two users should be linked. The issue is that when logging in over ldap, extern_uid becomes the distinguished name(dn) and when logging in over Omni-Auth SAML the extern_uid becomes the email address.
The way I see fixing this is either to create a new parameter like omniauth_auto_link_ldap_user that uses the email address instead to link the accounts or extend omni-auth SAML to take in a DN to set extern_uid to the same thing as LDAP.
Here is an example user record in the identities table.
gitlabhq_production=> select * from identities where user_id = 2;
-[ RECORD 1 ]-------------------------------------------------------
id | 5
extern_uid | CN=LastName\, FirstName,OU=State,OU=Users,DC=domain,DC=com
provider | ldapmain
user_id | 2
created_at |
updated_at |
-[ RECORD 2 ]-------------------------------------------------------
id | 40
extern_uid | flastname@domain.com
provider | saml
user_id | 2
created_at | 2015-08-03 23:26:37.243648
updated_at | 2015-08-03 23:26:37.243648This way you can clearly see that the extern_uid fields are not equal thus normally gitlab wouldn't set the user_id to be the same. The reason why this record is correctly set, is because I manually attached the saml login to the ldap-created account using the connect to saml button.
Please let me know if there is more information I can give to help fix this issue.
Activity
Hey @agitelzon , do you have resolution for this query yet ?
Added saml label
We are facing the same issue and I see this as /duplicate #33493 (closed)
Is there a fix and approximate release date for that?
Thank you!
moved to gitlab#3784
Hey!
GitLab is moving all development for both GitLab Community Edition and Enterprise Edition into a single codebase. The current
gitlab-cerepository will become a read-only mirror, without any proprietary code. All development is moved to the currentgitlab-eerepository, which we will rename to justgitlabin the coming weeks. As part of this migration, issues will be moved to the currentgitlab-eeproject.If you have any questions about all of this, please ask them in our dedicated FAQ issue.
https://gitlab.com/gitlab-org/gitlab-ee/issues/13855You can also find more information here:
https://gitlab.com/gitlab-org/gitlab-ee/issues/13304- https://about.gitlab.com/2019/08/23/a-single-codebase-for-gitlab-community-and-enterprise-edition/
Frequently Asked Questions
For an up to date list of questions and answers, please take a look at
https://gitlab.com/gitlab-org/gitlab-ee/issues/13855What will we do with the repository names?
https://gitlab.com/gitlab-org/gitlab-ee/ will become https://gitlab.com/gitlab-org/gitlab, and https://gitlab.com/gitlab-org/gitlab-ce will become https://gitlab.com/gitlab-org/gitlab-foss.
Why rename gitlab-ce to gitlab-foss?
Using "gitlab" and "gitlab-ce" would be confusing, so we decided to rename gitlab-ce to gitlab-foss to make the purpose of this FOSS repository more clear
I created a merge requests for CE, and this got closed. What do I need to do?
You will need to create a merge request at https://gitlab.com/gitlab-org/gitlab-ee/. This link will eventually redirect to https://gitlab.com/gitlab-org/gitlab.
How does the licensing work in this new setup?
Everything in the
ee/directory is proprietary. Everything else is free and open source software. If your merge request does not change anything in theee/directory, the process of contributing changes is the same as when using the gitlab-ce repository.Will you accept merge requests on the gitlab-ce/gitlab-foss project after it has been renamed?
No. Merge requests submitted to this project will be closed automatically.
Will I still be able to view old issues and merge requests in gitlab-ce/gitlab-foss?
Yes.
How will this affect users of GitLab CE using Omnibus?
No changes will be necessary, as the packages built remain the same.
How will this affect users of GitLab CE that build from source?
Once the project has been renamed, you will need to change your Git remotes to use this new URL. GitLab will take care of redirecting Git operations so there is no hard deadline, but we recommend doing this as soon as the projects have been renamed.
Where can I see a timeline of the remaining steps?
https://gitlab.com/gitlab-org/gitlab-ee/issues/13304Will community contributions submitted to the new "gitlab" repository be available in the new gitlab-foss repository?
Yes, these changes will be synced to gitlab-foss automatically, several times per day.
mentioned in merge request !14785
