gitlab_rails['omniauth_auto_link_user'] doesn't work for SAML provider
Summary
If a GitLab administrator uses the gitlab_rails['omniauth_auto_link_user']
setting for the SAML provider, this will not work:
gitlab_rails['omniauth_auto_link_user'] = ["saml"]
This will work however:
gitlab_rails['omniauth_auto_link_saml_user'] = true
This behaviour is inconsistent with the other OmniAuth providers.
For now, we have a documentation change in !67926 (merged) that mentions this discrepancy. Once this bug is resolved, then the documentation in these sections will need to be updated:
- https://docs.gitlab.com/ee/integration/omniauth.html#automatically-link-existing-users-to-omniauth-users
- https://docs.gitlab.com/ee/integration/saml.html#general-setup
The following discussion from !67926 (merged) should be addressed:
-
@dblessing commented on a discussion: (+2 comments) Looking back to the original
auto_link_user
issue, I think this behavior is a bug. It was intended to take the place of the LDAP and SAML auto link settings respectively. That it doesn't work for SAML then seems like a bug.
Code analysis
By default, OmniAuth users are auto linked here https://gitlab.com/gitlab-org/gitlab/-/blob/v14.1.2-ee/lib/gitlab/auth/o_auth/user.rb#L75. This then calls auto_link_user?
and then it looks at Gitlab.config.omniauth.auto_link_user
https://gitlab.com/gitlab-org/gitlab/-/blob/v14.1.2-ee/lib/gitlab/auth/o_auth/user.rb#L286
For the SAML provider, SAML users are auto linked here https://gitlab.com/gitlab-org/gitlab/-/blob/v14.1.2-ee/lib/gitlab/auth/saml/user.rb#L21. This then calls auto_link_saml_user?
(notice the different def name) and then it looks at Gitlab.config.omniauth.auto_link_saml_user
https://gitlab.com/gitlab-org/gitlab/-/blob/v14.1.2-ee/lib/gitlab/auth/saml/user.rb#L50
Steps to reproduce
-
Setup a SAML provider.
-
Add the following configuration to your
gitlab.rb
file, and reconfigure GitLab.gitlab_rails['omniauth_auto_link_user'] = ["saml"]
-
Sign in with a SAML user with a corresponding GitLab user that hasn't been linked yet. GitLab won't allow the user to be linked. This is the bug.
Example Project
N/A
What is the current bug behavior?
gitlab_rails['omniauth_auto_link_user'] = ["saml"]
doesn't work as expected.
What is the expected correct behavior?
gitlab_rails['omniauth_auto_link_user'] = ["saml"]
should work as expected.
Relevant logs and/or screenshots
N/A
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)