Can't verify CSRF token authenticity ... while trying to get AD users to authenticate via SAML
Background:
I have this issue on 10.6.0. We have new certificate from ADFS, after change it and upgrade gitlab to 10.6.0 I have this lines in logs:
Processing by Gitlab::RequestForgeryProtection::Controller#index as HTML
Parameters: {"authenticity_token"=>"[FILTERED]"}
Completed 200 OK in 0ms (ActiveRecord: 0.0ms)
Started POST "/users/auth/saml/callback" for 10.151.64.32 at 2018-04-02 17:23:00 +0300
Processing by OmniauthCallbacksController#failure as HTML
Parameters: {"SAMLResponse"=>"PHNhbWxwOlJlc3BvbnNlIElEPSJfMzMxNzBhMDAtMTFjYy00MGExLThkZWQtNDVlM2M4NzJlZmZiIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxOC0wNC0wMlQxNDoyMjo1OS45NzhaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9naXRsYWIucm5kLndhcmdhbWluZy5uZXQvdXNlcnMvYXV0aC9zYW1sL2NhbGxiYWNrIiBDb25zZW50PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y29uc2VudDp1bnNwZWNpZmllZCIgSW5SZXNwb25zZVRvPSJfOWIzMDlmMWUtZTNmMS00N2FlLWJkNDMtMjg5NDMwZjczODEwIiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48SXNzdWVyIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwOi8vc3NvLndhcmdhbWluZy5uZXQvYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIgLz48L3NhbWxwOlN0YXR1cz48QXNzZXJ0aW9uIElEPSJfOTg4MWZiNWYtMGNmZi00ZTNkLThlODctMDc1YjFiZjVhZmY2IiBJc3N1ZUluc3RhbnQ9IjIwMTgtMDQtMDJUMTQ6MjI6NTkuOTc4WiIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PElzc3Vlcj5odHRwOi8vc3NvLndhcmdhbWluZy5uZXQvYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNyc2Etc2hhMjU2IiAvPjxkczpSZWZlcmVuY2UgVVJJPSIjXzk4ODFmYjVmLTBjZmYtNGUzZC04ZTg3LTA3NWIxYmY1YWZmNiI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIiAvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIC8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiIC8+PGRzOkRpZ2VzdFZhbHVlPkM2aDVIK1RWbzRWcTNMV2dsbzBIOUx3cHlsMXN6TEx4UWI2bVJtYXVTeWc9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPk1Qak5OeDNDN1JxN0xXNGUxbTM1K3NlWnZaN0pLMjE1WlFGaDk3MjAxNzJjK3BrbGIyQ202eEdqVDF4bFkvamkzbDNvV1ArVVFtNTZON0hNZU9UdEVOQVFHUThJY0k5clBGN1FpZ1pJaXhTUnVVTDd0N1JtWnM3SmNRR3N2OEJuTkovZ0FZSlYzb0VLSHdQandITlNraGVjM1QrUFExOVBwZGhHU3l1UzdxSWtoUjBYeERyWUJIa0svbk9lb05WRFFzOTgrN2d1SFovV2dnckFkejlmZXdVOEN3Y1A3ZUp1L0s5Z0ZTcGRaQ2tNVGx0cVNuZGJkbE1wSXZYaU4yM1hsVlB6Um5ZaWY2UTRyOEp4Y1NWYlJXWHpmQUJsYk0zUDZGZmFuVzl0UWdFME55L1VIQXhkcnNqMVFqaWNXcDZia00vNWdib2xzV3FEL2N4MDFuak1FUT09PC9kczpTaWduYXR1cmVWYWx1ZT48S2V5SW5mbyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQzNqQ0NBY2FnQXdJQkFnSVFIMXN3bGtyWHY1eEQ0djlsNllwRXlEQU5CZ2txaGtpRzl3MEJBUXNGQURBck1Ta3dKd1lEVlFRREV5QkJSRVpUSUZOcFoyNXBibWNnTFNCemMyOHVkMkZ5WjJGdGFXNW5MbTVsZERBZUZ3MHhPREF5TWpReE1EVTRNakJhRncweU16QXlNak14TURVNE1qQmFNQ3N4S1RBbkJnTlZCQU1USUVGRVJsTWdVMmxuYm1sdVp5QXRJSE56Ynk1M1lYSm5ZVzFwYm1jdWJtVjBNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQWswZnNscFpVR05IYWxVMkpLMzJUYmRIS2psZzBWZzZ3cTdpa1dMWHJQRTZCYXFjWU80Njk3UVBjNFVLVDV6ODJaZ2JMRGdBT1o0elRhM2xrNTZ2ZWFSVmkyU29uNW5Cbjdpc3pDdGxwUzdGVkVaRTFramhBREg3YWlmNlNZTUNGMVhRNWVlVEpjR2ZwNC9aQWdqalVEWTF3cTFFanVHR3RJRWNWVGNYSWx0TGYrc1BmTWowQmJra29XV3RiQk9yalZhN0pSbjRwayt3S0tSTnIzSnlvMCs1cjFoT1FleVM1dXQ4VE1RVVk0YmFhcWcyOGRaMUc4amNzRk54RmkwZUtzdmhGTksxYUJXNG01UUFwUTVGcWZ5NVhYb0VyL09YUWhNUmcwWEhPdWM3YXBreHlVTStabzF1eHdRRWJUQWQ1ZVh0RVZRTkV1UTVCUnZSWThqT3hiUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQnZYMnozMFBYa1VYUFo3RDZXNXVBSXh3ZHlZd3ZwZnI0SktqNy9RV3VRS3VleFdncjFUVjEyL1ViN09JRjcxMWhWL1BwQzVBQmVEeGJTQzhtYndlenM0eHdUZEhRaTVzaHAwYm05ekJFWDY0NWdWYk04b3ZhdDg4YzNiZW9ER3diVjZ0eGVuNWJRWG5pc3VydWN3SllDZW5lZ3lDZ3lpQ0VHdWt6T0FndlVSNDlLSXZ2cVpZWW1naW1abGU5Q0twMXlvQ1JpWFpkcnlvbmNnN3Y5elIyUmNkRnhMTmppdkVTbi91RnR5Yjc3TDJEeXVRcEQ2ckJwZUxUOGJZbzgvZ3FVVHFQYkJYV1lDK242TlZSQXNKd3dmc2FCeUR5VTZFQnc5Q3FDY0pkNmE0RDUyMFd5RnFNSHJienhrQVpJNVVzVTFzaFRkVkRPRjBCTzd1VlMreDFNPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L0tleUluZm8+PC9kczpTaWduYXR1cmU+PFN1YmplY3Q+PE5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnRyYW5zaWVudCI+aV9za2lyaWRvbW92QHdhcmdhbWluZy5uZXQ8L05hbWVJRD48U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89Il85YjMwOWYxZS1lM2YxLTQ3YWUtYmQ0My0yODk0MzBmNzM4MTAiIE5vdE9uT3JBZnRlcj0iMjAxOC0wNC0wMlQxNDoyNzo1OS45NzhaIiBSZWNpcGllbnQ9Imh0dHBzOi8vZ2l0bGFiLnJuZC53YXJnYW1pbmcubmV0L3VzZXJzL2F1dGgvc2FtbC9jYWxsYmFjayIgLz48L1N1YmplY3RDb25maXJtYXRpb24+PC9TdWJqZWN0PjxDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxOC0wNC0wMlQxNDoyMjo1OS45NDdaIiBOb3RPbk9yQWZ0ZXI9IjIwMTgtMDQtMDJUMTU6MjI6NTkuOTQ3WiI+PEF1ZGllbmNlUmVzdHJpY3Rpb24+PEF1ZGllbmNlPmh0dHBzOi8vZ2l0bGFiLnJuZC53YXJnYW1pbmcubmV0PC9BdWRpZW5jZT48L0F1ZGllbmNlUmVzdHJpY3Rpb24+PC9Db25kaXRpb25zPjxBdHRyaWJ1dGVTdGF0ZW1lbnQ+PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9lbWFpbGFkZHJlc3MiPjxBdHRyaWJ1dGVWYWx1ZT5pX3NraXJpZG9tb3ZAd2FyZ2FtaW5nLm5ldDwvQXR0cmlidXRlVmFsdWU+PC9BdHRyaWJ1dGU+PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIj48QXR0cmlidXRlVmFsdWU+SXZhbiBTa2lyaWRvbW92PC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9ImFncm91cHMiPjxBdHRyaWJ1dGVWYWx1ZT5Eb21haW4gVXNlcnM8L0F0dHJpYnV0ZVZhbHVlPjxBdHRyaWJ1dGVWYWx1ZT5Vc2VycyAoQ1kxKTwvQXR0cmlidXRlVmFsdWU+PEF0dHJpYnV0ZVZhbHVlPk5FVC1EZXY8L0F0dHJpYnV0ZVZhbHVlPjxBdHRyaWJ1dGVWYWx1ZT5WUE4gVXNlcnMgKEFsbCk8L0F0dHJpYnV0ZVZhbHVlPjxBdHRyaWJ1dGVWYWx1ZT5ERlMtQlktRGVwYXJ0RXhjaC1WaWRlb0V4Y2hhbmdlX1I8L0F0dHJpYnV0ZVZhbHVlPjxBdHRyaWJ1dGVWYWx1ZT5WUE4gVXNlcnMgKENZMSk8L0F0dHJpYnV0ZVZhbHVlPjxBdHRyaWJ1dGVWYWx1ZT5FbXBsb3llZXMgKFdhcmdhbWluZyk8L0F0dHJpYnV0ZVZhbHVlPjxBdHRyaWJ1dGVWYWx1ZT5ERlMtQlktRGVwYXJ0RXhjaC1RQV9QZXJmb3JtYW5jZV9SPC9BdHRyaWJ1dGVWYWx1ZT48QXR0cmlidXRlVmFsdWU+TkVULURldi1DWTwvQXR0cmlidXRlVmFsdWU+PEF0dHJpYnV0ZVZhbHVlPlVTNC1KSVJBLUVYQ0FMSUJVUjwvQXR0cmlidXRlVmFsdWU+PEF0dHJpYnV0ZVZhbHVlPk5FVC1EZXZQQy1TRzE8L0F0dHJpYnV0ZVZhbHVlPjxBdHRyaWJ1dGVWYWx1ZT5HcmFmYW5hLVVzZXJzPC9BdHRyaWJ1dGVWYWx1ZT48QXR0cmlidXRlVmFsdWU+REZTLUJZLURlcGFydEV4Y2gtU3ltYm9sc19SPC9BdHRyaWJ1dGVWYWx1ZT48QXR0cmlidXRlVmFsdWU+REZTLUJZLURlcGFydEV4Y2gtSGlzdG9yeV9GaWxlX1JlcG9zaXRvcnlfUjwvQXR0cmlidXRlVmFsdWU+PEF0dHJpYnV0ZVZhbHVlPkRGUy1CWS1EZXBhcnRFeGNoLUhpc3RvcnlfRmlsZV9SZXBvc2l0b3J5LUV4Y2hhbmdlX0luZm9fUlc8L0F0dHJpYnV0ZVZhbHVlPjxBdHRyaWJ1dGVWYWx1ZT5ERlMtQlktRGVwYXJ0RXhjaC1IaXN0b3J5X0ZpbGVfUmVwb3NpdG9yeS1IaXN0b3J5X0luZm9fUjwvQXR0cmlidXRlVmFsdWU+PEF0dHJpYnV0ZVZhbHVlPkRGUy1CWS1EZXBhcnRFeGNoLUFSVF9MaWJyYXJ5X1B1Yl9SPC9BdHRyaWJ1dGVWYWx1ZT48QXR0cmlidXRlVmFsdWU+cm5kLXNlYWZpbGUtdXNlcnM8L0F0dHJpYnV0ZVZhbHVlPjxBdHRyaWJ1dGVWYWx1ZT50ZXN0cmFpbC11c2Vycy13b3dwPC9BdHRyaWJ1dGVWYWx1ZT48QXR0cmlidXRlVmFsdWU+V0dGYWNlYm9vay11c2VyczwvQXR0cmlidXRlVmFsdWU+PEF0dHJpYnV0ZVZhbHVlPnNoYXJlLXVzZXJzPC9BdHRyaWJ1dGVWYWx1ZT48QXR0cmlidXRlVmFsdWU+VVM0LUpJUkE8L0F0dHJpYnV0ZVZhbHVlPjxBdHRyaWJ1dGVWYWx1ZT53Zy1hcnRfdXNlcnM8L0F0dHJpYnV0ZVZhbHVlPjxBdHRyaWJ1dGVWYWx1ZT53Z25taXQtdXNlcjwvQXR0cmlidXRlVmFsdWU+PEF0dHJpYnV0ZVZhbHVlPkRGUy1CWS1EZXBhcnRFeGNoLW1lZGlhdGVhbV92aWRlb19SPC9BdHRyaWJ1dGVWYWx1ZT48QXR0cmlidXRlVmFsdWU+b3JnY2hhcnQtdXNlcnM8L0F0dHJpYnV0ZVZhbHVlPjxBdHRyaWJ1dGVWYWx1ZT5jcm93ZHVzZXItaXg8L0F0dHJpYnV0ZVZhbHVlPjxBdHRyaWJ1dGVWYWx1ZT5jcm93ZHVzZXItaXhzPC9BdHRyaWJ1dGVWYWx1ZT48QXR0cmlidXRlVmFsdWU+YWxlcnRhX3JvPC9BdHRyaWJ1dGVWYWx1ZT48QXR0cmlidXRlVmFsdWU+VVM0LUNPTkZMVUVOQ0UtRVhDRU5HPC9BdHRyaWJ1dGVWYWx1ZT48QXR0cmlidXRlVmFsdWU+bW0tdXNlcnM8L0F0dHJpYnV0ZVZhbHVlPjxBdHRyaWJ1dGVWYWx1ZT5ncmhvdXNlLXVzZXJzPC9BdHRyaWJ1dGVWYWx1ZT48QXR0cmlidXRlVmFsdWU+RlNUUi1DdXN0b20tZXhjYWxpYnVyX3NoYXJlX1I8L0F0dHJpYnV0ZVZhbHVlPjxBdHRyaWJ1dGVWYWx1ZT50cHJvY2Vzcy11c2VyPC9BdHRyaWJ1dGVWYWx1ZT48QXR0cmlidXRlVmFsdWU+YXJ0aWZhY3Rvcnlfcm5kX2FkbWluPC9BdHRyaWJ1dGVWYWx1ZT48QXR0cmlidXRlVmFsdWU+bW9vZGxlLXVzZXJzPC9BdHRyaWJ1dGVWYWx1ZT48QXR0cmlidXRlVmFsdWU+Z2l0bGFiX3JuZF91c2VyPC9BdHRyaWJ1dGVWYWx1ZT48QXR0cmlidXRlVmFsdWU+RlNUUi1DdXN0b20tRXhjYWxpYnVyXzNQRF9SPC9BdHRyaWJ1dGVWYWx1ZT48QXR0cmlidXRlVmFsdWU+Ym53bXMtdXNlcjwvQXR0cmlidXRlVmFsdWU+PEF0dHJpYnV0ZVZhbHVlPmJud21zLWNuLXVzZXI8L0F0dHJpYnV0ZVZhbHVlPjxBdHRyaWJ1dGVWYWx1ZT5TUF9JUDJfSVBfVmlld2VyczwvQXR0cmlidXRlVmFsdWU+PEF0dHJpYnV0ZVZhbHVlPk8zNjUtRW50LUUzPC9BdHRyaWJ1dGVWYWx1ZT48QXR0cmlidXRlVmFsdWU+REZTLUJZLURlcGFydEV4Y2gtSW50ZXJuc2hpcF9SPC9BdHRyaWJ1dGVWYWx1ZT48QXR0cmlidXRlVmFsdWU+REZTLUJZLURlcGFydEV4Y2gtSW50ZXJuc2hpcF9SVzwvQXR0cmlidXRlVmFsdWU+PEF0dHJpYnV0ZVZhbHVlPkNvbmN1cl9hYmlsaXR5dG9sb2dpbjwvQXR0cmlidXRlVmFsdWU+PEF0dHJpYnV0ZVZhbHVlPmFzc2V0YmFuazAxPC9BdHRyaWJ1dGVWYWx1ZT48QXR0cmlidXRlVmFsdWU+TzM2NS1FTVMtRTM8L0F0dHJpYnV0ZVZhbHVlPjwvQXR0cmlidXRlPjwvQXR0cmlidXRlU3RhdGVtZW50PjxBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTgtMDQtMDJUMTM6NTk6NTIuOTQ5WiIgU2Vzc2lvbkluZGV4PSJfOTg4MWZiNWYtMGNmZi00ZTNkLThlODctMDc1YjFiZjVhZmY2Ij48QXV0aG5Db250ZXh0PjxBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydDwvQXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9BdXRobkNvbnRleHQ+PC9BdXRoblN0YXRlbWVudD48L0Fzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg=="}
Can't verify CSRF token authenticity
Redirected to https://gitlab.rnd.wargaming.net/users/sign_in
Completed 302 Found in 6ms (ActiveRecord: 0.0ms)
I have modified omniauth_callbacks_controller.rb
and restart unicorn gitlab-ctl restart unicorn
class OmniauthCallbacksController < Devise::OmniauthCallbacksController
skip_before_action :verify_authenticity_token
include AuthenticatesWithTwoFactor
include Devise::Controllers::Rememberable
#protect_from_forgery except: [:kerberos, :saml, :cas3]
But nothing new in logs. Still same messages.
What questions are you trying to answer? What I need to do, to get more debug message ?