omniauth_allow_single_sign_on not respected upon initial configuration of new omniauth provider

I am using gitlab-ce 10.7.0-ce.0 on Debian 8 "jessie".

I have Omniauth enabled and 3 providers enabled. 2 of the providers (GitHub and Google) are provided solely for the purpose of connecting identities from the 1st provider (my organization's single-sign-on service). Thus I have restricted single-sign-on to the 1st provider with gitlab_rails['omniauth_allow_single_sign_on].

I added GitHub many months (maybe over a year) ago and set this knob and the behavior was as expected. Adding google did not go as expected:

  1. Add google_oauth2 provider below (with variables hidden for privacy)
  2. Run gitlab-ctl reconfigure
  3. At this point, the front page of GitLab only shows my organization's SSO provider as a login option.
  4. I can login with my SSO and then connect my account to my Google identity
    • I'm not sure actually connecting my account is an important part of this story. But it's what I did.
  5. If I logout, the front page of GitLab presents me with Google as a login option.
  6. Trying to login with Google doesn't work.
  7. I can login with my SSO and -- as an admin -- uncheck Google in "Settings => Sign-in restrictions => Enabled OAuth sign-in sources"
  8. Logout and Google is no longer presented as a login option.
  9. Login. Logout.
  10. Google remains unavailable as a login option.

I can try to revert the changes to gitlab.rb and re-create the issue, but I suspect that some of the underlying settings are "sticky" because I cannot re-create the behavior. I am certain that at no point was omniauth_allow_single_sign_on set to anything except my SSO provider.

gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ["shibboleth"]
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_providers'] = [
  {
    "name" => "shibboleth",
    "args" => {
      "shib_session_id_field"     => "HTTP_SHIB_SESSION_ID",
      "shib_application_id_field" => "HTTP_SHIB_APPLICATION_ID",
      "uid_field"                 => "HTTP_EPPN",
      "name_field"                => "HTTP_DISPLAYNAME",
      "info_fields"               => { "email" => "HTTP_MAIL" }
    }
  },
  {
    "name"       => "github",
    "app_id"     => "<%= @github_app_id %>",
    "app_secret" => "<%= @github_secret %>",
    "url"        => "https://github.com/",
    "args"       => { "scope" => "user:email" }
  },
  {
    "name"       => "google_oauth2",
    "app_id"     => "<%= @google_app_id %>",
    "app_secret" => "<%= @google_secret %>",
    "args"       => { "access_type" => "offline", "approval_prompt" => '' }
  },
]
Edited by Tom Downes