gitlab_rails['omniauth_auto_link_user'] doesn't work for SAML provider

Summary

If a GitLab administrator uses the gitlab_rails['omniauth_auto_link_user'] setting for the SAML provider, this will not work:

gitlab_rails['omniauth_auto_link_user'] = ["saml"]

This will work however:

gitlab_rails['omniauth_auto_link_saml_user'] = true

This behaviour is inconsistent with the other OmniAuth providers.

For now, we have a documentation change in !67926 (merged) that mentions this discrepancy. Once this bug is resolved, then the documentation in these sections will need to be updated:

• https://docs.gitlab.com/ee/integration/omniauth.html#automatically-link-existing-users-to-omniauth-users
• https://docs.gitlab.com/ee/integration/saml.html#general-setup

---

The following discussion from !67926 (merged) should be addressed:

• @dblessing commented on a discussion: (+2 comments)

  Looking back to the original auto_link_user issue, I think this behavior is a bug. It was intended to take the place of the LDAP and SAML auto link settings respectively. That it doesn't work for SAML then seems like a bug.

---

Code analysis

By default, OmniAuth users are auto linked here https://gitlab.com/gitlab-org/gitlab/-/blob/v14.1.2-ee/lib/gitlab/auth/o_auth/user.rb#L75. This then calls auto_link_user? and then it looks at Gitlab.config.omniauth.auto_link_user https://gitlab.com/gitlab-org/gitlab/-/blob/v14.1.2-ee/lib/gitlab/auth/o_auth/user.rb#L286

For the SAML provider, SAML users are auto linked here https://gitlab.com/gitlab-org/gitlab/-/blob/v14.1.2-ee/lib/gitlab/auth/saml/user.rb#L21. This then calls auto_link_saml_user? (notice the different def name) and then it looks at Gitlab.config.omniauth.auto_link_saml_user https://gitlab.com/gitlab-org/gitlab/-/blob/v14.1.2-ee/lib/gitlab/auth/saml/user.rb#L50

Steps to reproduce

1. Setup a SAML provider.

2. Add the following configuration to your gitlab.rb file, and reconfigure GitLab.

   gitlab_rails['omniauth_auto_link_user'] = ["saml"]

3. Sign in with a SAML user with a corresponding GitLab user that hasn't been linked yet. GitLab won't allow the user to be linked. This is the bug.

Example Project

N/A

What is the current bug behavior?

gitlab_rails['omniauth_auto_link_user'] = ["saml"] doesn't work as expected.

What is the expected correct behavior?

gitlab_rails['omniauth_auto_link_user'] = ["saml"] should work as expected.

Relevant logs and/or screenshots

N/A

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes