Missing attributes in JIT provisioning throws wrong error message
Summary
Users being provisioned with JIT, while having a wrong or a missing attribute (for example the mail attribute set to emailaddress
instead of mail
or email
), are getting the error:
There is already a gitlab account associated with this email address. Sign in with your existing credentials to connect your organization's account.
Instead of the original error message.
For the missing email attribute, they should be getting Email can't be blank
error, which is only triggered when the user is provisioned with SCIM.
The original error is thrown in logs, and we found it in Kibana, but it's not what appears to the user.
The correct error is in https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/auth/o_auth/user.rb#L63 The misleading error is however thrown from https://gitlab.com/gitlab-org/gitlab/blob/master/app/controllers/omniauth_callbacks_controller.rb#L189
Affected customers
- ZD Ticket: Internal Link
- ZD Ticket: Internal Link
Steps to reproduce
- Create a SAML app on one IdP, and set the attribute mapping to a wrong value (for example set mail to emailaddress`
- Configure SAML on one of the GitLab.com group with this IdP
- Assign a new user to the SAML app in IdP
- Use this new user to login to GitLab with the group SSO login link
What is the current bug behavior?
The current error is There is already a gitlab account associated with this email address. Sign in with your existing credentials to connect your organization's account.
, which is misleading as the user doesn't exist, but rather cannot be saved for missing or wrong attributes
What is the expected correct behavior?
The error should at least be what was thrown when user couldn't be saved.
For example, in case of missing email attribute, it should be Email can't be blank
Relevant logs and/or screenshots
Kibana logs:
Output of checks
This bug happens on GitLab.com
Possible fixes
Possible workaround
In the Identity provider, update the claims to match the attributes.