Misleading error message logged when using saml sso and encrypted assertions
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
I have set up SAML SSO in our self-hosted gitlab server including a certificate and private_key to allow encrypted assertions.
If login is successful but the idp doesn't sent a expected attribute (e.g. email) the gui shows a correct error message like "Email can't be blank". I have verified that the idp is actually sending the email address, thus I started looking into the logs and found this message in auth.log:
{"severity":"ERROR","time":"2025-08-06T07:22:58.299Z","correlation_id":"01K1Z4618WZCPG4KM9YN7VNET6","meta.caller_id":"OmniauthCallbacksController#saml","meta.feature_category":"system_access","meta.organization_id":1,"meta.remote_ip":"1.2.3.4","meta.client_id":"ip/1.2.3.4","payload_type":"saml_response","error":"An EncryptedAssertion found and no SP private key found on the settings to decrypt it. Be sure you provided the :settings parameter at the initialize method"}An EncryptedAssertion found and no SP private key found on the settings to decrypt it. Be sure you provided the :settings parameter at the initialize method
although there is a private_key in the configuration. This lead me into the wrong direction for a while thinking it doesn't find the email address because it can't decrypt the assertion containing the mail address.
However, that error is actually logged later at https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/controllers/omniauth_callbacks_controller.rb#L64
It seems when handling the missing attribute error it tries to log the saml response. But at that time, gitlab doesn't provide the configuration containing the private_key to ruby-saml, thus it tries to decrypt the response but can't and then logs the error message above. gitlab should provide the saml configuration including the certificate and private_key to ruby-saml when logging the saml response in case it contains encrypted information.