SAML `idp_cert` error should be as clear as `idp_cert_fingerprint` error.
Summary
As I followed the SAML OmniAuth Provider documentation to configuration the gitlab SAML support with Keycloak. I uses idp_cert
instead of idp_cert_fingerprint
since keycloak provide certificate directly, I uses Keycloak client to get and set with scripts.
When I set idp_cert_fingerprint
wrong, Gitlab would directly tell me 'fingerprint mismatch', however when I set the idp_cert
wrong (Keycloak put the public key and certificate side by side, while people often refer the public key as certificate), Gitlab would only say 'Something went wrong on our end', and log just showed a OpenSSL::X509::CertificateError (nested asn1 error):
right after Started POST "/users/auth/saml/callback"
, these logs totally misled me to the https certificate problem (my Gitlab is behind another nginx with self-signed certificate), I tried trusted-certs, NO, Certbot, NO, installing CA manually, NO...
It totally took me a whole day to finally realize it might be the SAML certificate.
Improvements
Make idp_cert
error as clear as idp_cert_fingerprint
mismatch.
Risks
Involved components
OmniAuth/SAML