`required_groups` is being ignored for a provider with a name different to `saml`
Summary
A customer has contacted us saying that required_groups
is being ignored for their provider with a name different to saml
, resulting in new users being created and logged in.
Steps to reproduce
On a self-managed instance, configure SAML like this:
global:
appConfig:
omniauth:
allowBypassTwoFactor: []
allowSingleSignOn:
- saml
- saml1
autoLinkLdapUser: false
autoLinkSamlUser: true
autoLinkUser:
- saml
- saml1
autoSignInWithProvider: null
blockAutoCreatedUsers: false
enabled: true
externalProviders: []
providers:
- secret: saml-azure-provider-2
- secret: saml-azure-provider
syncProfileAttributes:
- email
syncProfileFromProvider: []
with the secret looking like this:
name: saml1
label: 'SAML Azure 6'
groups_attribute: 'Groups'
required_groups: ['321ebdc1-xxxx','5f7300f7-4635-xxxx']
admin_groups: ['321ebdc1-xxxx']
external_groups: ['5f7300f7-4635-xxxx']
args:
name: saml1
assertion_consumer_service_url: 'MyURL/users/auth/saml1/callback'
...
- The test user did not have any group memberships on the Azure side, and did not exist on GitLab yet.
- Result: the user was auto-provisioned and logged in
This behaviour is not expected.
Now change the configuration to:
name: saml
label: 'SAML Azure 7'
groups_attribute: 'Groups'
required_groups: ['321ebdc1-xxxx','5f7300f7-4635-xxxx']
admin_groups: ['321ebdc1-xxxx']
external_groups: ['5f7300f7-4635-xxxx']
args:
name: saml
assertion_consumer_service_url: 'MyURL/users/auth/saml/callback'
...
Result:
- If the test user is not part of any of the groups on the Azure side, the user was not created, and the following error appeared:
Signing in using your SAML Azure 7 account without a pre-existing GitLab account is not allowed.
- If the user is part of 321ebdc1-xxxx, the account gets auto-created, and the user gets logged in automatically
- If the user is part of group 5f7300f7-4635-xxxx, the account also gets auto-created, and the user gets logged in automatically.
This behaviour is expected.
What is the current bug behavior?
See above: A customer's account will get auto-created, even if they are not part of the required_groups
.
What is the expected correct behavior?
The behaviour should be similar to how it is for the provider with the name saml
: if the user is not part of any of the required_groups
, the account shouldn't even get auto-created. They also shouldn't be logged in after auto-creation.
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) git@gitlab-toolbox-6b6758cf96-g2bch:/$ gitlab-rake gitlab:env:info System information System: Proxy: no Current User: git Using RVM: no Ruby Version: 2.7.5p203 Gem Version: 3.2.33 Bundler Version:2.3.15 Rake Version: 13.0.6 Redis Version: 6.0.16 Sidekiq Version:6.4.2 Go Version: unknown GitLab information Version: 15.5.3-ee Revision: 48f51d8b0c3 Directory: /srv/gitlab DB Adapter: PostgreSQL DB Version: 12.7 URL: https://gitlab.gl-env-427c7ec1.env-427c7ec1.gcp.gitlabsandbox.net HTTP Clone URL: https://gitlab.gl-env-427c7ec1.env-427c7ec1.gcp.gitlabsandbox.net/some-group/some-project.git SSH Clone URL: git@gitlab.gl-env-427c7ec1.env-427c7ec1.gcp.gitlabsandbox.net:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: no Using Omniauth: yes Omniauth Providers: saml, saml1 GitLab Shell Version: 14.12.0 Repository storage paths: - default: /var/opt/gitlab/repo GitLab Shell path: /home/git/gitlab-shell (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)git@gitlab-toolbox-6b6758cf96-g2bch:/$ gitlab-rake gitlab:check SANITIZE=true
Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 14.12.0 ? ... OK (14.12.0) Running /home/git/gitlab-shell/bin/check gitlab-shell self-check failed Try fixing it: Make sure GitLab is running; Check the gitlab-shell configuration file: sudo -u git -H editor /home/git/gitlab-shell/config.yml Please fix the error above and rerun the checks.
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... no Try fixing it: sudo -u git -H RAILS_ENV=production bin/background_jobs start For more information see: doc/install/installation.md in section "Install Init Script" see log/sidekiq.log for possible errors Please fix the error above and rerun the checks.
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab App ...
Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... skipped (no tmp uploads folder yet) Systemd unit files or init script exist? ... no Try fixing it: Install the Service For more information see: doc/install/installation.md in section "Install the Service" Please fix the error above and rerun the checks. Systemd unit files or init script up-to-date? ... can't check because of previous errors Projects have namespace: ... 2/1 ... yes 17/2 ... yes Redis version >= 6.0.0? ... yes Ruby version >= 2.7.2 ? ... yes (2.7.5) Git user has default SSH configuration? ... yes Active users: ... 6 Is authorized keys file accessible? ... skipped (authorized keys not enabled) GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes Elasticsearch version 7.x-8.x or OpenSearch version 1.x ... skipped (Advanced Search is disabled)
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)