Skip to content

Linking SAML account with LDAP account automatically fails

I'm using CentOS 6.6 and gitlab-omnibus Community Edition from the CentOS yum repository version 7.12.2. I have successfully implemented LDAP auth and SAML auth using ominauth. Initially all users logged in and created their accounts through ldap. Now I want them to be able to log in over SAML. The configuration parameter omniauth_auto_link_ldap_user doesn't link accounts coming in through saml to accounts that were previously created using LDAP.

Here is my gitlab.rb entries for SAML:

gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = true
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_ldap_user'] = true

gitlab_rails['omniauth_providers'] = [
  {
    "name" => "saml",
     args: {
             issuer: 'https://gitlab.domain.com',
             assertion_consumer_service_url: 'https://gitlab.domain.com/users/auth/saml/callback',
             idp_cert_fingerprint: '####################',
             idp_sso_target_url: 'https://sso.domain.com/adfs/ls/',
             name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
           }
  }
]

If I disable omniauth_auto_sign_in_with_provider, then users can log in over ldap, go to their profile, then accounts settings and manually link the two accounts together. I want gitlab to automatically link them together.

I see that omniauth_auto_sign_in_with_provider uses a field called extern_uid to verify if they two users should be linked. The issue is that when logging in over ldap, extern_uid becomes the distinguished name(dn) and when logging in over Omni-Auth SAML the extern_uid becomes the email address.

The way I see fixing this is either to create a new parameter like omniauth_auto_link_ldap_user that uses the email address instead to link the accounts or extend omni-auth SAML to take in a DN to set extern_uid to the same thing as LDAP.

Here is an example user record in the identities table.

gitlabhq_production=> select * from identities where user_id = 2;
-[ RECORD 1 ]-------------------------------------------------------
id         | 5
extern_uid | CN=LastName\, FirstName,OU=State,OU=Users,DC=domain,DC=com
provider   | ldapmain
user_id    | 2
created_at |
updated_at |
-[ RECORD 2 ]-------------------------------------------------------
id         | 40
extern_uid | flastname@domain.com
provider   | saml
user_id    | 2
created_at | 2015-08-03 23:26:37.243648
updated_at | 2015-08-03 23:26:37.243648

This way you can clearly see that the extern_uid fields are not equal thus normally gitlab wouldn't set the user_id to be the same. The reason why this record is correctly set, is because I manually attached the saml login to the ldap-created account using the connect to saml button.

Please let me know if there is more information I can give to help fix this issue.