SAML Auth (on 8.4 CE Omnibus) leads to 'Retry later' error
Greetings,
I'm trying to set up SAML on GitLab (CE 8.4 Omnibus), and after entering credentials on the SAML/SSO logon page, the browser reloads several times (with different SAMLRequest values) and eventually dies at a plain screen reading 'Retry later'
Digging into the logs, gitlab-rails/production.log shows many of the following
Started POST "/users/auth/saml" for 127.0.0.1 at 2016-01-25 11:49:07 -0500
Processing by OmniAuth::RequestForgeryProtection::Controller#index as HTML
Parameters: {"SAMLResponse"=>"..."}
Completed 200 OK in 0ms (ActiveRecord: 0.0ms)
While nginx/gitlab_access.log shows nine POST messages to /users/auth/saml from the SAML server, with the 302 redirect followed by the last POST with a 429 'too many requests' error. That's when I see the 'Retry later' message.
I've seen on the web others talking about clock drift and setting 'allowed_clock_drift' in the saml config part of gitlab.rb, but even setting it to an insane 10800 seconds, I still receive this error.
I've verified that the posted SAML Response is correct, and am now out of options.
One other thing that should be noted. In embedded/service/gitlab-rails/lib/omni_auth/request_forgery_protection.rb I added skip_before_action :verify_authenticity_token as I was getting CSRF token authenticity problems and a 422 message. The SAML server I am using is on another segment of the WAN and it goes through a reverse proxy somewhere. I trust it implicitly however as it's internal.
Any ideas, thoughts, comments would be greatly appreciated!
Cheers!
Rich