Omnibus Omniauth `groups_attribute: 'Groups'` is not added for saml-created users as create time

Summary

Omnibus Omniauth groups_attribute: 'Groups' is not added for saml-created users as create time

Steps to reproduce

Gitlab Configuration

# omniauth
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
        {
            name: 'saml',
            args: {
                    assertion_consumer_service_url: 'https://<gitlab_url>/users/auth/saml/callback',
                    idp_cert_fingerprint: '<idp_cert_fingerprint>',
                    idp_sso_target_url: '<ids_sso_target_url>',
                    issuer: 'https://<gitlab_url>/',
                    name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
            },
            admin_groups: ['Administrators'],
            groups_attribute: 'Groups',
            label: 'Okta'
        }
]

  • create idp group "Foo"

  • create gitlab group Foo Group Name: Foo Group Url: foo Visibility level: internal

  • target user in idp group "Foo" posts a valid assertion to omniauth, containing the following snippet

<saml2:Attribute Name="Groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Foo</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Bar</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Contains Whitespace</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Baz</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">BarBar</saml2:AttributeValue>
</saml2:Attribute>

this saml assertion excerpt was pulled from /var/log/gitlab/gitlab-rails/production_json.log, json decoded, base64 decoded, and prettied up by hand for readability. Actual group names have been replaced with similar values.

What is the current bug behavior?

Gitlab receives a valid assertion and creates the user, but does not add the user to the groups asserted by the idp.

What is the expected correct behavior?

The idp's group membership should be respected therefore the user should be added to the group

Relevant logs and/or screenshots

I suspect there were no failure messages associated with the behavior

/var/log/gitlab/gitlab-rails/application.log.1.gz:March 11, 2019 23:23: (SAML) saving user example_user@example.com from login with admin => false, extern_uid => example_user@example.com
/var/log/gitlab/gitlab-rails/application.log.1.gz:March 11, 2019 23:23: User "Example User" (example_user@example.com) was created

Results of GitLab environment info

Expand for output related to GitLab environment info 
System information
System:     Ubuntu 18.04
Proxy:      no
Current User:   git
Using RVM:  no
Ruby Version:   2.5.3p105
Gem Version:    2.7.6
Bundler Version:1.16.6
Rake Version:   12.3.2
Redis Version:  3.2.12
Git Version:    2.18.1
Sidekiq Version:5.2.5
Go Version: unknown

GitLab information
Version:    11.8.0-ee
Revision:   002a28279f5
Directory:  /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: postgresql
DB Version: 9.6.9
URL:        https://<gitlab_url>
HTTP Clone URL: https://<gitlab_url>/some-group/some-project.git
SSH Clone URL:  git@<gitlab_url>:some-group/some-project.git
Elasticsearch:  yes
Geo:        no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers: saml


GitLab Shell
Version:    8.4.4
Repository storage paths:
  • default: /var/opt/gitlab/git-data/repositories
  • storage1: /srv/gitlab/storage1/repositories/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check 
Checking GitLab subtasks ...


Checking GitLab Shell ...


GitLab Shell: ... GitLab Shell version >= 8.4.4 ? ... OK (8.4.4)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Redis available via internal API: OK


Access to /var/opt/gitlab/.ssh/authorized_keys: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Gitaly ...


Gitaly: ... default ... OK
storage1 ... OK


Checking Gitaly ... Finished


Checking Sidekiq ...


Sidekiq: ... Running? ... yes
Number of Sidekiq processes ... 1


Checking Sidekiq ... Finished


Checking Incoming Email ...


Incoming Email: ... Checking Reply by email ...


IMAP server credentials are correct? ... yes
Init.d configured correctly? ... skipped
MailRoom running? ... skipped


Checking Reply by email ... Finished


Checking Incoming Email ... Finished


Checking LDAP ...


LDAP: ... LDAP is disabled in config/gitlab.yml


Checking LDAP ... Finished


Checking GitLab App ...


Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
19/1 ... yes
15/2 ... yes
2/3 ... yes
2/4 ... yes
2/5 ... yes
2/6 ... yes
2/7 ... yes
2/8 ... yes
2/9 ... yes
2/10 ... yes
2/11 ... yes
2/12 ... yes
2/13 ... yes
2/14 ... yes
2/15 ... yes
2/16 ... yes
2/17 ... yes
2/18 ... yes
2/19 ... yes
2/20 ... yes
2/21 ... yes
2/22 ... yes
2/23 ... yes
2/24 ... yes
2/25 ... yes
2/26 ... yes
20/31 ... yes
20/32 ... yes
20/33 ... yes
14/34 ... yes
14/35 ... yes
14/37 ... yes
21/38 ... yes
21/39 ... yes
21/40 ... yes
21/41 ... yes
2/42 ... yes
22/43 ... yes
22/44 ... yes
26/45 ... yes
22/46 ... yes
2/47 ... yes
2/48 ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.3.5 ? ... yes (2.5.3)
Git version >= 2.18.0 ? ... yes (2.18.1)
Git user has default SSH configuration? ... yes
Active users: ... 14
Elasticsearch version 5.6 - 6.x? ... yes (6.3.1)


Checking GitLab App ... Finished


Checking GitLab subtasks ... Finished

Possible fixes

Its unclear to me, this could be a documentation issue about the lack of clarification of the requirements of sso provided groups