Cannot sign out when using Omniauth and SAML with IdP
Summary
We have configured GitLab to have users sign in via an IdP managed by our customer. Sign in works perfectly, but the Sign out feature produces a 404 at the path /sign_out. There doesn't seem to be any way to override or prevent this. There is a setting for providing an "After sign out path", which is useful for SSO (means I can push people on to their account page at the IdP after their individual sign-out of GitLab), but it's not getting that far - simply failing to sign out at all once SAML is enabled.
Steps to reproduce
You'll need a SAML 2.0 IdP to test with. The redacted version of our gitlab.rb config looks like this:
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
# SAML endpoint
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
label: 'SSO Login',
group_attribute: 'urn:oid:1.3.6.1.4.1.5923.1.5.1.1',
args: {
assertion_consumer_service_url: 'https://git.MYDOMAIN.com/users/auth/saml/callback',
idp_cert_fingerprint: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
idp_sso_target_url: 'https://login.MYDOMAIN.com/idp/profile/SAML2/Redirect/SSO',
issuer: 'https://git.MYDOMAIN.com/',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
uid_attribute: 'urn:oid:0.9.2342.19200300.100.1.1',
attribute_statements: {
email: [ 'urn:oid:0.9.2342.19200300.100.1.3' ],
first_name: [ 'urn:oid:2.5.4.42' ],
last_name: [ 'urn:oid:2.5.4.4' ],
},
},
},
]
Add that, reconfigure, login and then go to "Sign out" under your user menu in the top right.
What is the current bug behavior?
You are taken to /sign_out, but you do not sign out and you get a GitLab 404 page.
What is the expected correct behavior?
You are signed out of GitLab and redirected to the location specified in admin settings (/admin/application_settings) under "After sign out path".
Relevant logs and/or screenshots
The production log says this:
Started GET "/sign_out" for 172.30.4.83 at 2017-02-15 10:40:36 +0000
Processing by ApplicationController#not_found as HTML
Parameters: {"unmatched_route"=>"sign_out"}
Completed 404 Not Found in 15ms (Views: 0.6ms | ActiveRecord: 1.5ms)
Output of checks
Healthcheck output:
{"healthy":true,"message":"success"}
Results of GitLab environment info
System information
System: Debian 8.6
Current User: git
Using RVM: no
Ruby Version: 2.3.1p112
Gem Version: 2.6.6
Bundler Version:1.13.6
Rake Version: 10.5.0
Sidekiq Version:4.2.1
GitLab information
Version: 8.13.5
Revision: 09cedb5
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: postgresql
URL: https://git.MYDOMAIN.com
HTTP Clone URL: https://git.MYDOMAIN.com/some-group/some-project.git
SSH Clone URL: git@git.MYDOMAIN.com:some-group/some-project.git
Using LDAP: no
Using Omniauth: yes
Omniauth Providers: saml
GitLab Shell
Version: 3.6.6
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks/
Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Checking GitLab Shell ...
GitLab Shell version >= 3.6.6 ? ... OK (3.6.6)
Repo base directory exists?
default... yes
Repo storage directories are symlinks?
default... no
Repo paths owned by git:git?
default... no
User id for git: 998. Groupd id for git: 998
Try fixing it:
sudo chown -R git:git /var/opt/gitlab/git-data/repositories
For more information see:
doc/install/installation.md in section "GitLab Shell"
Please fix the error above and rerun the checks.
Repo paths access is drwxrws---?
default... yes
hooks directories in repos are links: ...
[redacted] ... ok
[redacted] ... ok
[redacted] ... ok
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK
Send ping to redis server: OK
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Sidekiq ...
Running? ... yes
Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Reply by email ...
Reply by email is disabled in config/gitlab.yml
Checking Reply by email ... Finished
Checking LDAP ...
LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab ...
Git configured with autocrlf=input? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config outdated? ... no
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory setup correctly? ... skipped (no tmp uploads folder yet)
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
projects have namespace: ...
[redacted] ... yes
[redacted] ... yes
[redacted] ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.1.0 ? ... yes (2.3.1)
Your git bin path is "/opt/gitlab/embedded/bin/git"
Git version >= 2.7.3 ? ... yes (2.7.4)
Active users: 8
Checking GitLab ... Finished
Possible fixes
Sadly I don't speak Ruby. :-(