<!--- Please read this! Before opening a new issue, make sure to search for keywords in the issues filtered by the "regression" or "bug" label. For the Community Edition issue tracker: - https://gitlab.com/gitlab-org/gitlab-ce/issues?label_name%5B%5D=regression - https://gitlab.com/gitlab-org/gitlab-ce/issues?label_name%5B%5D=bug For the Enterprise Edition issue tracker: - https://gitlab.com/gitlab-org/gitlab-ee/issues?label_name%5B%5D=regression - https://gitlab.com/gitlab-org/gitlab-ee/issues?label_name%5B%5D=bug and verify the issue you're about to submit isn't a duplicate. ---> ### Summary The installation in use has [New users set to external](https://docs.gitlab.com/ee/user/permissions.html#external-users-permissions) but new users that fit the [internal users](https://docs.gitlab.com/ee/user/permissions.html#default-internal-users) regex are created as external users. Oauth is used for authentication by shibboleth. ### Steps to reproduce 1. Do the following things as admin 1. Set "New users set to external -> Newly registered users will by default be external" in Settings/Account and limit. 1. Set "Internal users" to "@example\\.com" 1. Use a private browser tab 1. Login via shibboleth oauth with a user that has a mail address user@example.com 1. Check as admin 1. User got created as external user ### Example Project Not applicable. ### What is the current *bug* behavior? Newly created users authenticated by oauth shibboleth become external users although their mail address matches the internal users regex. ### What is the expected *correct* behavior? Newly created users authenticated by oauth shibboleth become internal users because their mail address matches the internal users regex. ### Relevant logs and/or screenshots The only log entry I found is ``` September 24, 2018 14:23: User "Example, Peter" (peter@example.com) was created September 24, 2018 14:23: (OAuth) saving user peter@example.com from login with extern_uid => peter@example.com ``` There is no info if the user is created internally or externally. ### Output of checks This bug happens on a selfhosted GitLab Community Edition. #### Results of GitLab environment info <details> <summary>Expand for output related to GitLab environment info</summary> <pre> System information System: Ubuntu 16.04 Current User: git Using RVM: no Ruby Version: 2.4.4p296 Gem Version: 2.7.6 Bundler Version:1.16.2 Rake Version: 12.3.1 Redis Version: 3.2.11 Git Version: 2.18.0 Sidekiq Version:5.1.3 Go Version: unknown GitLab information Version: 11.3.0 Revision: 17bd59a Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql URL: https://gitlab.example.private HTTP Clone URL: https://gitlab.example.private/some-group/some-project.git SSH Clone URL: git@gitlab.example.private:some-group/some-project.git Using LDAP: no Using Omniauth: yes Omniauth Providers: shibboleth GitLab Shell Version: 8.3.3 Repository storage paths: \- default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git </pre> </details> #### Results of GitLab application Check <details> <summary>Expand for output related to the GitLab application check</summary> <pre> Checking GitLab Shell ... GitLab Shell version >= 8.3.3 ? ... OK (8.3.3) Repo base directory exists? default... yes Repo storage directories are symlinks? default... no Repo paths owned by git:root, or git:git? default... yes Repo paths access is drwxrws---? default... yes hooks directories in repos are links: ... 2/1 ... ok 6/2 ... ok 8/3 ... repository is empty 13/4 ... ok 7/5 ... repository is empty 7/6 ... ok 16/7 ... ok 16/8 ... ok 12/9 ... ok 12/10 ... ok 12/11 ... ok 16/12 ... ok 25/13 ... ok 7/14 ... ok Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Redis available via internal API: OK Access to /var/opt/gitlab/.ssh/authorized_keys: OK gitlab-shell self-check successful Checking GitLab Shell ... Finished Checking Sidekiq ... Running? ... yes Number of Sidekiq processes ... 1 Checking Sidekiq ... Finished Reply by email is disabled in config/gitlab.yml Checking LDAP ... LDAP is disabled in config/gitlab.yml Checking LDAP ... Finished Checking GitLab ... Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 2/1 ... yes 6/2 ... yes 8/3 ... yes 13/4 ... yes 7/5 ... yes 7/6 ... yes 16/7 ... yes 16/8 ... yes 12/9 ... yes 12/10 ... yes 12/11 ... yes 16/12 ... yes 25/13 ... yes 7/14 ... yes Redis version >= 2.8.0? ... yes Ruby version >= 2.3.5 ? ... yes (2.4.4) Git version >= 2.9.5 ? ... yes (2.18.0) Git user has default SSH configuration? ... yes Active users: ... 24 Checking GitLab ... Finished </pre> </details> ### Possible fixes My guess: Apply check for internal users for accounts created by omniauth and set internal or external accordingly.