Allow GitLab.com to use the assertion "nickname" and "username" when integrating with SAML
What does this MR do and why?
Fixes #328005 (closed)
Allow Group SAML SSO for GitLab.com to use a username
or nickname
value in the SAML response to indicate what the username should be. Currently the local part of the email address is used. The local part of the email address will still be used as a fallback.
All of the heavy lifting for this is done within omniauth
and omniauth-saml
. For self-managed we already support this via attribute_statements
configuration as described in our docs at https://docs.gitlab.com/ee/integration/saml.html#attribute_statements.
For GitLab.com we essentially need to manage this configuration by default. We already have a settings
hash so I added the nickname
attribute statement there.
Per the discussion at !72134 (comment 700556890), as part of this work I also realized we were incorrectly stating that username
attribute was supported by default for self-managed. Updated docs reflect the correct behavior.
Screenshots or screen recordings
Since this is so hard to validate locally here are some screen recordings showing behavior before and after the change:
Before
Here you will see the username ends up being drewsaml_test
- this is derived from drew+saml_test
local part of the email address.
After
Here you will see the username ends up being dblessing_saml
. This is what I set in Okta as the nickname
/username for my user.
How to set up and validate locally
Unfortunately, testing is quite difficult as it involved setting up GitLab locally as well as setting up an IdP. We do have Okta Sandbox, but still it's fairly involved to setup. I have tested with GDK and Okta Sandbox and it works as expected.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.