GitLab sign-in form becomes inaccessible when omniauth 'auto_sign_in_with_provider' is enabled
Summary
Our GitLab instance is configured with omniauth enabled. We have also enabled the omniauth_auto_sign_in_with_provider option as well. This results in the /users/sign_in path automatically redirecting to our IdP instance, which then redirects back to GitLab (passing along the SAML object) after authentication.
The problem happens when we need to login as a local GitLab user (bypass SAML authentication). The method to do this is to add the auto_sign_in=false GET parameter to the sign_in URL. Unfortunately, when browsing to this URL, GitLab recognizes that there is already a valid user session, and it simply displays the "You are already signed in." banner. Alternatively, signing out of the current session should work, but it does not due to the resulting string of redirects:
- Click: User menu --> Sign Out (loads https://gitlab.MYDOMAIN.com/users/sign_out)
- Redirects (302) to https://gitlab.MYDOMAIN.com/users/sign_in
- Redirects (302) to https://gitlab.MYDOMAIN.com/users/auth/saml
- Redirects (302) to https://idp.MYDOMAIN.com/saml_target_url...
- Redirects (200) to https://gitlab.MYDOMAIN.com/users/auth/saml/callback
- Redirects (302) to https://gitlab.MYDOMAIN.com
Right back where we started.
Related or notable Issues:
- gitlab-org/gitlab-ce#3786 - feature request to explicitly disable auto-login with special URL parameter
- gitlab-org/gitlab-ce#28223 - 404 bug when attempting to sign out with SAML and auto-login
- gitlab-org/gitlab-ce#17344 - feature request to have the sign-out action destroy the IdP session (interesting, but not particularly related)
NOTE: this issue is similar, but not a duplicate of gitlab-org/gitlab-ce#28223 because the bug here is not a 404. This problem is that there is no (obvious) way to disable auto-login. Effectively, the feature request to be able to disable auto-login (gitlab-org/gitlab-ce#3786) is broken.
Steps to reproduce
Expand for related omniauth config
Some values have been redacted.
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_ldap_user'] = true
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
label: 'Single Sign-on',
groups_attribute: 'Groups',
required_groups: [
'CN=GitLab User,OU=Users Groups,DC=MYDOMAIN,DC=com'
],
args: {
assertion_consumer_service_url: 'https://gitlab.MYDOMAIN.com/users/auth/saml/callback',
idp_cert_fingerprint: '< ...redacted... >',
idp_sso_target_url: 'https://idp.MYDOMAIN.com/sso/idp',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
issuer: 'https://gitlab.MYDOMAIN.com'
}
}
]Log out of active session (User menu --> Sign Out)
What is the current bug behavior?
Page reloads, redirects a few times, and we get logged right back in.
What is the expected correct behavior?
Either the actual login page, or an intermediate "you are logged out, click here to log back in" landing page.
Results of GitLab environment info
Expand for output related to GitLab environment info
Some values have been redacted.
System information System: Proxy: no Current User: git Using RVM: no Ruby Version: 2.4.4p296 Gem Version: 2.7.6 Bundler Version:1.16.2 Rake Version: 12.3.1 Redis Version: 3.2.11 Git Version: 2.18.0 Sidekiq Version:5.1.3 Go Version: unknown GitLab information Version: 11.3.1-ee Revision: d82e035 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql DB Version: 9.6.8 URL: https://gitlab.MYDOMAIN.com HTTP Clone URL: https://gitlab.MYDOMAIN.com/some-group/some-project.git SSH Clone URL: git@gitlab.MYDOMAIN.com:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: yes Using Omniauth: yes Omniauth Providers: saml GitLab Shell Version: 8.3.3 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
Some values have been redacted.
Checking GitLab Shell ...
GitLab Shell version >= 8.3.3 ? ... OK (8.3.3)
Repo base directory exists?
default... yes
Repo storage directories are symlinks?
default... no
Repo paths owned by git:root, or git:git?
default... yes
Repo paths access is drwxrws---?
default... yes
hooks directories in repos are links: ...
22/2 ... ok
22/4 ... ok
22/5 ... ok
22/6 ... ok
22/7 ... ok
22/8 ... ok
22/10 ... ok
4/11 ... ok
4/12 ... ok
4/13 ... ok
3/15 ... ok
4/16 ... ok
24/19 ... ok
2/20 ... ok
12/21 ... ok
24/24 ... ok
24/25 ... ok
24/30 ... ok
24/31 ... ok
4/32 ... repository is empty
26/33 ... ok
2/35 ... ok
4/39 ... ok
4/40 ... repository is empty
4/41 ... ok
26/42 ... repository is empty
27/43 ... ok
27/45 ... ok
3/46 ... ok
27/47 ... ok
27/48 ... ok
26/49 ... repository is empty
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Redis available via internal API: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Sidekiq ...
Running? ... yes
Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Reply by email is disabled in config/gitlab.yml
Checking LDAP ...
Server: ldapmain
not verifying SSL hostname of LDAPS server 'MYDOMAIN.com:389'
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
DN: cn=user 1,cn=users,dc=MYDOMAIN,dc=com sAMAccountName: user1
DN: cn=user 2,cn=users,dc=MYDOMAIN,dc=com sAMAccountName: user2
DN: cn=user 3,cn=users,dc=MYDOMAIN,dc=com sAMAccountName: user3
DN: cn=user 4,cn=users,dc=MYDOMAIN,dc=com sAMAccountName: user4
DN: cn=user 5,cn=users,dc=MYDOMAIN,dc=com sAMAccountName: user5
DN: cn=user 6,cn=users,dc=MYDOMAIN,dc=com sAMAccountName: user6
DN: cn=user 7,cn=users,dc=MYDOMAIN,dc=com sAMAccountName: user7
DN: cn=user 8,cn=users,dc=MYDOMAIN,dc=com sAMAccountName: user8
Checking LDAP ... Finished
Checking GitLab ...
Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
22/2 ... yes
22/4 ... yes
22/5 ... yes
22/6 ... yes
22/7 ... yes
22/8 ... yes
22/10 ... yes
4/11 ... yes
4/12 ... yes
4/13 ... yes
3/15 ... yes
4/16 ... yes
24/19 ... yes
2/20 ... yes
12/21 ... yes
24/24 ... yes
24/25 ... yes
24/30 ... yes
24/31 ... yes
4/32 ... yes
26/33 ... yes
2/35 ... yes
4/39 ... yes
4/40 ... yes
4/41 ... yes
26/42 ... yes
27/43 ... yes
27/45 ... yes
3/46 ... yes
27/47 ... yes
27/48 ... yes
26/49 ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.3.5 ? ... yes (2.4.4)
Git version >= 2.9.5 ? ... yes (2.18.0)
Git user has default SSH configuration? ... yes
Active users: ... 5
Elasticsearch version 5.1 - 5.5? ... skipped (elasticsearch is disabled)
Checking GitLab ... Finished
Possible fixes
A few things I can think of:
- Explicit "Sign Out" action with SAML auto-login enabled should take the user to the sign_in page (maybe by adding
?auto_sign_in=false?) - Add support for the
?auto_sign_in=falseparameter on the/users/sign_outpath. - Add a new "you have been logged out, click here to login" page (seems excessive and clunky, should be achievable with existing pages).