GitLab sign-in form becomes inaccessible when omniauth 'auto_sign_in_with_provider' is enabled
Summary
Our GitLab instance is configured with omniauth enabled. We have also enabled the omniauth_auto_sign_in_with_provider
option as well. This results in the /users/sign_in
path automatically redirecting to our IdP instance, which then redirects back to GitLab (passing along the SAML object) after authentication.
The problem happens when we need to login as a local GitLab user (bypass SAML authentication). The method to do this is to add the auto_sign_in=false
GET parameter to the sign_in URL. Unfortunately, when browsing to this URL, GitLab recognizes that there is already a valid user session, and it simply displays the "You are already signed in.
" banner. Alternatively, signing out of the current session should work, but it does not due to the resulting string of redirects:
- Click: User menu --> Sign Out (loads https://gitlab.MYDOMAIN.com/users/sign_out)
- Redirects (302) to https://gitlab.MYDOMAIN.com/users/sign_in
- Redirects (302) to https://gitlab.MYDOMAIN.com/users/auth/saml
- Redirects (302) to https://idp.MYDOMAIN.com/saml_target_url...
- Redirects (200) to https://gitlab.MYDOMAIN.com/users/auth/saml/callback
- Redirects (302) to https://gitlab.MYDOMAIN.com
Right back where we started.
Related or notable Issues:
- gitlab-ce#3786 - feature request to explicitly disable auto-login with special URL parameter
- gitlab-ce#28223 - 404 bug when attempting to sign out with SAML and auto-login
- gitlab-ce#17344 - feature request to have the sign-out action destroy the IdP session (interesting, but not particularly related)
NOTE: this issue is similar, but not a duplicate of gitlab-ce#28223 because the bug here is not a 404. This problem is that there is no (obvious) way to disable auto-login. Effectively, the feature request to be able to disable auto-login (gitlab-ce#3786) is broken.
Steps to reproduce
Expand for related omniauth config
Some values have been redacted.
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_ldap_user'] = true
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
label: 'Single Sign-on',
groups_attribute: 'Groups',
required_groups: [
'CN=GitLab User,OU=Users Groups,DC=MYDOMAIN,DC=com'
],
args: {
assertion_consumer_service_url: 'https://gitlab.MYDOMAIN.com/users/auth/saml/callback',
idp_cert_fingerprint: '< ...redacted... >',
idp_sso_target_url: 'https://idp.MYDOMAIN.com/sso/idp',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
issuer: 'https://gitlab.MYDOMAIN.com'
}
}
]
Log out of active session (User menu --> Sign Out)
What is the current bug behavior?
Page reloads, redirects a few times, and we get logged right back in.
What is the expected correct behavior?
Either the actual login page, or an intermediate "you are logged out, click here to log back in" landing page.
Results of GitLab environment info
Expand for output related to GitLab environment info
Some values have been redacted.
System information System: Proxy: no Current User: git Using RVM: no Ruby Version: 2.4.4p296 Gem Version: 2.7.6 Bundler Version:1.16.2 Rake Version: 12.3.1 Redis Version: 3.2.11 Git Version: 2.18.0 Sidekiq Version:5.1.3 Go Version: unknown GitLab information Version: 11.3.1-ee Revision: d82e035 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql DB Version: 9.6.8 URL: https://gitlab.MYDOMAIN.com HTTP Clone URL: https://gitlab.MYDOMAIN.com/some-group/some-project.git SSH Clone URL: git@gitlab.MYDOMAIN.com:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: yes Using Omniauth: yes Omniauth Providers: saml GitLab Shell Version: 8.3.3 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
Some values have been redacted.
Checking GitLab Shell ... GitLab Shell version >= 8.3.3 ? ... OK (8.3.3) Repo base directory exists? default... yes Repo storage directories are symlinks? default... no Repo paths owned by git:root, or git:git? default... yes Repo paths access is drwxrws---? default... yes hooks directories in repos are links: ... 22/2 ... ok 22/4 ... ok 22/5 ... ok 22/6 ... ok 22/7 ... ok 22/8 ... ok 22/10 ... ok 4/11 ... ok 4/12 ... ok 4/13 ... ok 3/15 ... ok 4/16 ... ok 24/19 ... ok 2/20 ... ok 12/21 ... ok 24/24 ... ok 24/25 ... ok 24/30 ... ok 24/31 ... ok 4/32 ... repository is empty 26/33 ... ok 2/35 ... ok 4/39 ... ok 4/40 ... repository is empty 4/41 ... ok 26/42 ... repository is empty 27/43 ... ok 27/45 ... ok 3/46 ... ok 27/47 ... ok 27/48 ... ok 26/49 ... repository is empty Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Redis available via internal API: OK Access to /var/opt/gitlab/.ssh/authorized_keys: OK gitlab-shell self-check successful Checking GitLab Shell ... Finished Checking Sidekiq ... Running? ... yes Number of Sidekiq processes ... 1 Checking Sidekiq ... Finished Reply by email is disabled in config/gitlab.yml Checking LDAP ... Server: ldapmain not verifying SSL hostname of LDAPS server 'MYDOMAIN.com:389' LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) DN: cn=user 1,cn=users,dc=MYDOMAIN,dc=com sAMAccountName: user1 DN: cn=user 2,cn=users,dc=MYDOMAIN,dc=com sAMAccountName: user2 DN: cn=user 3,cn=users,dc=MYDOMAIN,dc=com sAMAccountName: user3 DN: cn=user 4,cn=users,dc=MYDOMAIN,dc=com sAMAccountName: user4 DN: cn=user 5,cn=users,dc=MYDOMAIN,dc=com sAMAccountName: user5 DN: cn=user 6,cn=users,dc=MYDOMAIN,dc=com sAMAccountName: user6 DN: cn=user 7,cn=users,dc=MYDOMAIN,dc=com sAMAccountName: user7 DN: cn=user 8,cn=users,dc=MYDOMAIN,dc=com sAMAccountName: user8 Checking LDAP ... Finished Checking GitLab ... Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 22/2 ... yes 22/4 ... yes 22/5 ... yes 22/6 ... yes 22/7 ... yes 22/8 ... yes 22/10 ... yes 4/11 ... yes 4/12 ... yes 4/13 ... yes 3/15 ... yes 4/16 ... yes 24/19 ... yes 2/20 ... yes 12/21 ... yes 24/24 ... yes 24/25 ... yes 24/30 ... yes 24/31 ... yes 4/32 ... yes 26/33 ... yes 2/35 ... yes 4/39 ... yes 4/40 ... yes 4/41 ... yes 26/42 ... yes 27/43 ... yes 27/45 ... yes 3/46 ... yes 27/47 ... yes 27/48 ... yes 26/49 ... yes Redis version >= 2.8.0? ... yes Ruby version >= 2.3.5 ? ... yes (2.4.4) Git version >= 2.9.5 ? ... yes (2.18.0) Git user has default SSH configuration? ... yes Active users: ... 5 Elasticsearch version 5.1 - 5.5? ... skipped (elasticsearch is disabled) Checking GitLab ... Finished
Possible fixes
A few things I can think of:
- Explicit "Sign Out" action with SAML auto-login enabled should take the user to the sign_in page (maybe by adding
?auto_sign_in=false
?) - Add support for the
?auto_sign_in=false
parameter on the/users/sign_out
path. - Add a new "you have been logged out, click here to login" page (seems excessive and clunky, should be achievable with existing pages).