SAML Login fails in a weird way (500 Error) undefined method `+' for nil:NilClass

Summary

I set up SAML Login in with Keycloak (https://www.keycloak.org/) accordingly to this Tutorial: https://edenmal.moe/2018/01/16/GitLab-Keycloak-SAML-2-0-OmniAuth-Provider/

It worked great until I had to reinstall my keycloak instance. In the process Certificates were changed. I did change the idp_cert property in saml config. Also I sucessfully updated SAML integration for all my other client applications.

So this is my SAML Config

gitlab_rails['omniauth_providers'] = [
  {
	  name: 'saml',
	  args: {
		  assertion_consumer_service_url: 'https://gitlab.domain.com/users/auth/saml/callback',
		  idp_cert: '[filtered]',
		  issuer: 'gitlab.domain.com',
		  attribute_statements: {
                  	first_name: ['first_name'],
                        last_name: ['last_name'],
                        name: ['name'],
                        username: ['name'],
                        email: ['email'] 
	          },
                  name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:email'
	  },
	  label: 'auth.domain.com',
	  # groups_attribute: 'roles',
	  # external_groups: ['gitlab.domain.com:external'],
  }
]

Now when I try to login with this provider I land on https://gitlab.domain.com/users/auth/saml with a 500 Error and I get the following in production.log of gitlab-rails:

Started POST "/users/auth/saml" for 91.65.29.161 at 2018-05-14 09:46:55 +0200
Processing by Gitlab::RequestForgeryProtection::Controller#index as HTML
  Parameters: {"authenticity_token"=>"[FILTERED]"}
Completed 200 OK in 0ms (ActiveRecord: 0.0ms | Elasticsearch: 0.0ms)

NoMethodError (undefined method `+' for nil:NilClass):
  lib/gitlab/middleware/multipart.rb:95:in `call'
  lib/gitlab/request_profiler/middleware.rb:14:in `call'
  ee/lib/gitlab/jira/middleware.rb:15:in `call'
  lib/gitlab/middleware/go.rb:17:in `call'
  lib/gitlab/etag_caching/middleware.rb:11:in `call'
  lib/gitlab/middleware/read_only/controller.rb:28:in `call'
  lib/gitlab/middleware/read_only.rb:16:in `call'
  lib/gitlab/request_context.rb:18:in `call'
  lib/gitlab/metrics/requests_rack_middleware.rb:27:in `call'
  lib/gitlab/middleware/release_env.rb:10:in `call'

I can't definitely say whether this has to do with certificates, but it probably has something to do with something I did. The problem here is that this log output is totally useless to me and I'm kinda desperate how to debug this.

Steps to reproduce

Integrate a keycloak SAML provider, make sure everything works, then switch to a new (or another) keycloak instance.

What is the current bug behavior?

500 Errors with poor log output on SAML login attempt

What is the expected correct behavior?

Successful SAML login - or - a useful error in log.

Results of GitLab environment info

Expand for output related to GitLab environment info

System information System: Debian 9.4 Proxy: no Current User: git Using RVM: no Ruby Version: 2.3.6p384 Gem Version: 2.6.13 Bundler Version:1.13.7 Rake Version: 12.3.0 Redis Version: 3.2.11 Git Version: 2.14.3 Sidekiq Version:5.0.5 Go Version: unknown

GitLab information Version: 10.7.3-ee Revision: 584a495 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql DB Version: 9.6.8 URL: http://gitlab.alt.coop HTTP Clone URL: http://gitlab.alt.coop/some-group/some-project.git SSH Clone URL: git@gitlab.alt.coop:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: no Using Omniauth: yes Omniauth Providers: saml

GitLab Shell Version: 7.1.2 Repository storage paths:

default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check

Checking GitLab Shell ...

GitLab Shell version >= 7.1.2 ? ... OK (7.1.2) Repo base directory exists? default... yes Repo storage directories are symlinks? default... no Repo paths owned by git:root, or git:git? default... yes Repo paths access is drwxrws---? default... yes hooks directories in repos are links: ... 3/3 ... ok 3/8 ... ok 3/9 ... ok 2/10 ... ok 3/11 ... ok Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Redis available via internal API: OK

Access to /var/opt/gitlab/.ssh/authorized_keys: OK gitlab-shell self-check successful

Checking GitLab Shell ... Finished

Checking Sidekiq ...

Running? ... yes Number of Sidekiq processes ... 1

Checking Sidekiq ... Finished

Reply by email is disabled in config/gitlab.yml Checking LDAP ...

LDAP is disabled in config/gitlab.yml

Checking LDAP ... Finished

Checking GitLab ...

Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 3/3 ... yes 3/8 ... yes 3/9 ... yes 2/10 ... yes 3/11 ... yes Redis version >= 2.8.0? ... yes Ruby version >= 2.3.5 ? ... yes (2.3.6) Git version >= 2.9.5 ? ... yes (2.14.3) Git user has default SSH configuration? ... yes Active users: ... 4 Elasticsearch version 5.1 - 5.5? ... skipped (elasticsearch is disabled)

Checking GitLab ... Finished