omniauth_allow_single_sign_on not respected upon initial configuration of new omniauth provider
I am using gitlab-ce 10.7.0-ce.0
on Debian 8 "jessie".
I have Omniauth enabled and 3 providers enabled. 2 of the providers (GitHub and Google) are provided solely for the purpose of connecting identities from the 1st provider (my organization's single-sign-on service). Thus I have restricted single-sign-on to the 1st provider with gitlab_rails['omniauth_allow_single_sign_on]
.
I added GitHub many months (maybe over a year) ago and set this knob and the behavior was as expected. Adding google did not go as expected:
- Add
google_oauth2
provider below (with variables hidden for privacy) - Run
gitlab-ctl reconfigure
- At this point, the front page of GitLab only shows my organization's SSO provider as a login option.
- I can login with my SSO and then connect my account to my Google identity
- I'm not sure actually connecting my account is an important part of this story. But it's what I did.
- If I logout, the front page of GitLab presents me with Google as a login option.
- Trying to login with Google doesn't work.
- I can login with my SSO and -- as an admin -- uncheck Google in "Settings => Sign-in restrictions => Enabled OAuth sign-in sources"
- Logout and Google is no longer presented as a login option.
- Login. Logout.
- Google remains unavailable as a login option.
I can try to revert the changes to gitlab.rb
and re-create the issue, but I suspect that some of the underlying settings are "sticky" because I cannot re-create the behavior. I am certain that at no point was omniauth_allow_single_sign_on
set to anything except my SSO provider.
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ["shibboleth"]
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_providers'] = [
{
"name" => "shibboleth",
"args" => {
"shib_session_id_field" => "HTTP_SHIB_SESSION_ID",
"shib_application_id_field" => "HTTP_SHIB_APPLICATION_ID",
"uid_field" => "HTTP_EPPN",
"name_field" => "HTTP_DISPLAYNAME",
"info_fields" => { "email" => "HTTP_MAIL" }
}
},
{
"name" => "github",
"app_id" => "<%= @github_app_id %>",
"app_secret" => "<%= @github_secret %>",
"url" => "https://github.com/",
"args" => { "scope" => "user:email" }
},
{
"name" => "google_oauth2",
"app_id" => "<%= @google_app_id %>",
"app_secret" => "<%= @google_secret %>",
"args" => { "access_type" => "offline", "approval_prompt" => '' }
},
]