Support Microsoft attribute names
Microsoft Azure SAML integration by default uses attribute names with a URL style: http://schemas.microsoft.com/ws/2008/06/identity/claims/emailaddress
. Currently, GitLab.com only supports attribute names like mail
or email
per https://docs.gitlab.com/ee/user/group/saml_sso/#user-attributes. Self-managed GitLab is the same by default but is configurable: https://docs.gitlab.com/ee/integration/saml.html#configure-assertions.
Both self-managed and SaaS should ideally support these common attribute names by default. The name values are documented at https://learn.microsoft.com/en-us/dotnet/api/system.security.claims.claimtypes?view=net-7.0. The ones we really need to be concerned with are first name (given name), last name (surname), username and email address.
We can make this change in Gitlab::Auth::Saml::AuthHash
and override the parent class methods like name
and email
and use an OR statement. The following is what I expect will work but is untested.
override :email
def email
super || get_info('http://schemas.microsoft.com/ws/2008/06/identity/claims/emailaddress')
end