Misconfiguration in shibboleth causes users to authenticate as someone else

Summary

Gitlab 8.11.5

We use shibboleth via omniauth. An bad config in shibboleth this morning stopped Gitlab from reading the HTTP_UID attribute. This resulted in every new login being authenticated as the same user, which is a major security flaw. Doubly concerning is that the apparent profile data shown to the users was for yet another user in the system.

These two accounts are special in that the authenticated user was also the most recently created account, and the user whose profile data was displayed has their UID manually associated with shibboleth in the "Identities" tab.

Steps to reproduce

Block the release of HTTP_UID to Gitlab

Relevant logs and/or screenshots

Here are the settings for omniauth:

        "shib_session_id_field"         => "HTTP_SHIB_SESSION_ID",
        "shib_application_id_field"     => "HTTP_SHIB_APPLICATION_ID",
        "uid_field"                     => "HTTP_UID",
        "name_field"                    => "HTTP_CN",
        "info_fields"                   => {
            "email"     => "HTTP_MAIL",
        },