IdP initiated Group SAML redirects to https://gitlab.com/ instead of group
Summary
For IdP-initiated SAML sign-in GitLab should default to redirecting the user to the top-level GitLab group after sign-in. @stanhu suggested the following as a potential solution in his comment at #330288 (comment 637841446):
diff --git a/ee/app/controllers/groups/omniauth_callbacks_controller.rb b/ee/app/controllers/groups/omniauth_callbacks_controller.rb
index 6062ce87de4a..4d94ad798abd 100644
--- a/ee/app/controllers/groups/omniauth_callbacks_controller.rb
+++ b/ee/app/controllers/groups/omniauth_callbacks_controller.rb
@@ -13,7 +13,7 @@ def group_saml
identity_linker = Gitlab::Auth::GroupSaml::IdentityLinker.new(current_user, oauth, session, @saml_provider)
- store_location_for(:redirect, saml_redirect_path)
+ store_location_for(:redirect, saml_redirect_path || group_path(@unauthenticated_group))
omniauth_flow(Gitlab::Auth::GroupSaml, identity_linker: identity_linker)
rescue Gitlab::Auth::Saml::IdentityLinker::UnverifiedRequest
redirect_unverified_saml_initiation
Reported by a Premium customer: https://gitlab.zendesk.com/agent/tickets/209455 (internal)
A previously working Okta based Group SAML SSO setup has recently begun landing authenticating users to https://gitlab.com/
post-callback instead of https://gitlab.com/groupname
.
Prior to April 28th-ish, the same setup without any changes was taking the users to the group page correctly after authentication.
Steps to reproduce
Setup Okta Group SAML authentication (other providers have not been tried) and create an Okta application for going to GitLab. Click the Okta GitLab application (to initiate the authentication from IdP-end). Observe the final landing page on GitLab after authentication succeeds.
Example Project
Please see internal customer ticket: https://gitlab.zendesk.com/agent/tickets/209455 for the Group URL and other details
https://about.gitlab.com/handbook/support/internal-support/#viewing-support-tickets
What is the current bug behavior?
Successful IdP initiated group SAML authentication sends user to https://gitlab.com/
What is the expected correct behavior?
Successful IdP initiated group SAML authentication sends user to https://gitlab.com/their-group
Relevant logs and/or screenshots
Please see internal customer ticket: https://gitlab.zendesk.com/agent/tickets/209455 for the log entries, and other details.
https://about.gitlab.com/handbook/support/internal-support/#viewing-support-tickets
Essentially, the callback URL is sent a request without a RelayState, and it sends back a location header with the GitLab root page /
instead of the group page.
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible workaround
- Add the group link to the
Default RelayState
on the identity provider app.