"Remember me" option fails with 500 error for SAML-provisioned users with no password set
Summary
When a SAML-provisioned user selects the "Remember me" option during the sign-in flow, but does not have a password set for their GitLab.com account, they receive server 500 errors after ~24 hours.
This was discovered by a customer on ticket #364590 (GitLab internal)
Steps to reproduce
- Provision a SAML user on GitLab.com through an SSO provider
- Using only the SSO provider to sign-in, select the "Remember me" option during the GitLab flow
- Observe that eventually, after about 24 hours, you receive a server 500 error when prompted to re-authenticate
Example Project
Not applicable
What is the current bug behavior?
The end user receives a 500 error. Upon investigating the request ID in Elastic, the caller Groups::OmniauthCallbacksController#group_saml
receives the following error:
"exception.message": "authenticatable_salt returned nil for the User model. In order to use rememberable, you must ensure a password is always set or have a remember_token column in your model or implement your own rememberable_value in the model with custom logic.",
I will paste the entire JSON log message in an internal comment, since it may contain sensitive data, and it won't be available in Elastic in the near future.
What is the expected correct behavior?
The login process should complete as usual, and prompt users for re-authentication when needed.
Relevant logs and/or screenshots
Relevant log message will be pasted in an internal comment.
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
This bug happens on GitLab.com
Results of GitLab application Check
This bug happens on GitLab.com
Possible fixes
Instead of delivering a 500 error, we should do one of the following:
- Return a meaningful error to the user with an actionable next step
- Allow SAML-provisioned users to use the "remember me" checkbox without setting a password (i.e., allow
nil
as a password value)
Workarounds
I see 2 possible workarounds:
- Clear browser cache to reset the "Remember me" option, and do not select it during the next authentication
- Set a standard password for the GitLab account using the request password reset form