SAML 422 error when SCIM provisions the user for the first time
Summary
When the email attribute for SAML is named Email
and a user doesn't exist, SAML fails with 422 email can't be blank
error even after SCIM creates the user.
It is normal that SAML fails because Email
isn’t the supported email attribute, email
or mail
are. Since SCIM creates the user, SAML shouldn't be checking for the email address. In addition, extern_uid
is the same for SCIM and SAML.
Steps to reproduce
- Configure SAML and SCIM in self-managed instance.
- Login with SAML SSO.
- Confirm that SCIM created a new user with the email address.
What is the current bug behavior?
SAML seems to be checking the email attribute even though SCIM provisions the account
What is the expected correct behavior?
After SCIM provisions the account, email shouldn't be required for SAML SSO.
Relevant logs and/or screenshots
Video record showing the error:
Video record after renaming the email
attribute:
/var/log/gitlab/gitlab-workhorse/current:{"content_type":"text/html; charset=utf-8","correlation_id":"01HGAGNENSDZKJEYYDRBVH3PR3","duration_ms":324,"host":"sr-env-14c9cff9-omnibus.env-14c9cff9.gcp.gitlabsandbox.net","level":"info","method":"POST","msg":"access","proto":"HTTP/1.1","referrer":"https://dev-26305162.okta.com/","remote_addr":"27.110.28.204:0","remote_ip":"27.110.28.204","route":"","status":422,"system":"http","time":"2023-11-28T08:27:54Z","ttfb_ms":323,"uri":"/users/auth/saml/callback","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0","written_bytes":62371}
/var/log/gitlab/gitlab-rails/production_json.log:{"method":"POST","path":"/users/auth/saml/callback","format":"html","controller":"OmniauthCallbacksController","action":"saml","status":422,"time":"2023-11-28T08:27:54.229Z","params":[{"key":"truncated","value":"..."}],"correlation_id":"01HGAGNENSDZKJEYYDRBVH3PR3","meta.caller_id":"OmniauthCallbacksController#saml","meta.remote_ip":"27.110.28.204","meta.feature_category":"system_access","meta.client_id":"ip/27.110.28.204","remote_ip":"27.110.28.204","ua":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0","queue_duration_s":0.013831,"request_urgency":"default","target_duration_s":1,"redis_calls":1,"redis_duration_s":0.000564,"redis_read_bytes":273,"redis_write_bytes":85,"redis_sessions_calls":1,"redis_sessions_duration_s":0.000564,"redis_sessions_read_bytes":273,"redis_sessions_write_bytes":85,"db_count":12,"db_write_count":1,"db_cached_count":0,"db_replica_count":0,"db_primary_count":12,"db_main_count":12,"db_ci_count":0,"db_main_replica_count":0,"db_ci_replica_count":0,"db_replica_cached_count":0,"db_primary_cached_count":0,"db_main_cached_count":0,"db_ci_cached_count":0,"db_main_replica_cached_count":0,"db_ci_replica_cached_count":0,"db_replica_wal_count":0,"db_primary_wal_count":0,"db_main_wal_count":0,"db_ci_wal_count":0,"db_main_replica_wal_count":0,"db_ci_replica_wal_count":0,"db_replica_wal_cached_count":0,"db_primary_wal_cached_count":0,"db_main_wal_cached_count":0,"db_ci_wal_cached_count":0,"db_main_replica_wal_cached_count":0,"db_ci_replica_wal_cached_count":0,"db_replica_duration_s":0.0,"db_primary_duration_s":0.012,"db_main_duration_s":0.012,"db_ci_duration_s":0.0,"db_main_replica_duration_s":0.0,"db_ci_replica_duration_s":0.0,"cpu_s":0.297169,"mem_objects":95679,"mem_bytes":6260840,"mem_mallocs":38032,"mem_total_bytes":10088000,"pid":19489,"worker_id":"puma_0","rate_limiting_gates":[],"db_duration_s":0.0213,"view_duration_s":0.03232,"duration_s":0.23778}
/var/log/gitlab/gitlab-rails/application_json.log:{"severity":"DEBUG","time":"2023-11-28T08:27:53.929Z","correlation_id":"01HGAGNENSDZKJEYYDRBVH3PR3","message":"(saml) Callback phase initiated."}
/var/log/gitlab/gitlab-rails/application_json.log:{"severity":"INFO","time":"2023-11-28T08:27:54.138Z","correlation_id":"01HGAGNENSDZKJEYYDRBVH3PR3","meta.caller_id":"OmniauthCallbacksController#saml","meta.remote_ip":"27.110.28.204","meta.feature_category":"system_access","meta.client_id":"ip/27.110.28.204","message":"(SAML) Error saving user 00udilif8w3ijSxMt5d7 (): [\"Email can't be blank\"]"}
/var/log/gitlab/gitlab-rails/audit_json.log:{"severity":"INFO","time":"2023-11-28T08:27:54.186Z","correlation_id":"01HGAGNENSDZKJEYYDRBVH3PR3","meta.caller_id":"OmniauthCallbacksController#saml","meta.remote_ip":"27.110.28.204","meta.feature_category":"system_access","meta.client_id":"ip/27.110.28.204","id":96,"author_id":-1,"entity_id":-1,"entity_type":"User","details":{"failed_login":"SAML","author_name":"blank","target_details":"blank","author_class":"Gitlab::Audit::UnauthenticatedAuthor","target_id":-1,"target_type":"User","custom_message":"SAML login failed","ip_address":"27.110.28.204","entity_path":null},"ip_address":"27.110.28.204","author_name":"blank","entity_path":null,"target_details":"blank","created_at":"2023-11-28T08:27:54.165Z","target_type":"User","target_id":-1,"failed_login":"SAML","author_class":"Gitlab::Audit::UnauthenticatedAuthor","custom_message":"SAML login failed"}
Possible fixes
Name the email attribute as email
or mail
for SAML to work.
Edited by Aysegul Acar