You need to sign in or sign up before continuing.

GitLab 17.5.5 saves NULL values to external attribute of user when logging via SAML

Summary

After 51bd1570 (@habdul-razak @dblessing) GitLab now introduces external = null values into the database and returns external = null via the User API where a boolean is expected.

We have an omnibus installation of 17.5.5 running locally with the following SSO/SAML configuration:

gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_ldap_user'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
  {
    name: 'saml',
    args: {
      assertion_consumer_service_url: 'https://ADDRESS/users/auth/saml/callback',
      idp_cert: 'REDACTED',
      idp_sso_target_url: 'https://REDACTED/simplesaml/saml2/idp/SSOService.php',
      issuer: 'https://ADDRESS',
      name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
      attribute_statements: { nickname: ['uid'], name: ['displayName', 'cn'] }
    },
    label: 'Login with SSO'
   }
]

Our SSO doesn't return any external attribute.

What is the current bug behavior?

If logging in via SAML/SSO GitLab stores a null for the user.external attribute.
This value is directly accessible via the Users API.
Querying the user returns external: null. The User API specification indicates that a bool should be returned.

Steps to reproduce

Query a user via the user API
Login with such user via SAML with the above or identical configuration
Query the same user to find an invalid external attribute.

Results of GitLab environment info

Expand for output related to GitLab environment info


System information
System:
Current User:   git
Using RVM:      no
Ruby Version:   3.2.5
Gem Version:    3.5.17
Bundler Version:2.5.11
Rake Version:   13.0.6
Redis Version:  7.0.15
Sidekiq Version:7.2.4
Go Version:     unknown

GitLab information
Version:        17.5.5
Revision:       c8c89100f5b
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     PostgreSQL
DB Version:     14.11
URL:            https://ADDRESS
HTTP Clone URL: https://ADDRESS/some-group/some-project.git
SSH Clone URL:  git@ADDRESS:some-group/some-project.git
Using LDAP:     yes
Using Omniauth: yes
Omniauth Providers: saml

GitLab Shell
Version:        14.39.0
Repository storages:
- default:      unix:/var/opt/gitlab/gitaly/gitaly.socket
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell

Gitaly
- default Address:      unix:/var/opt/gitlab/gitaly/gitaly.socket
- default Version:      17.5.5
- default Git Version:  2.46.2

Possible fixes

On Discord by @dblessing .

        def external_user?
          return true if external_provider?
          return intersecting_external_groups? if external_users_enabled?

          false
        end

Edited Jan 11, 2025 by Renato Alves