SAML - bypass 2 factor authentication function does not work with ADFS
Summary
This bug was identified via ZD (internal use only), specifically when you enable bypass 2 factor authentication for SAML and the infrastructure is using ADFS.
The customer is using ADFS version 4.
The /etc/gitlab/gitlab.rb
looks like this:
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
args: {
assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
idp_sso_target_url: 'https://login.example.com/idp',
issuer: 'https://gitlab.example.com',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
upstream_two_factor_authn_contexts:
%w(
urn:oasis:names:tc:SAML:2.0:ac:classes:X509
)
},
label: 'Company Login' # optional label for SAML login button, defaults to "Saml"
}
]
At this stage, SAML authentication is working. This is a snippet of the XML returned in the SAML response. Notice the <AuthnContextClassRef>
.
<samlp:Response>
<Assertion>
<AuthnStatement>
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
Since we have specified urn:oasis:names:tc:SAML:2.0:ac:classes:X509
as the authorization context to check for in our gitlab.rb
, the bypass two factor authentication function should work, but it doesn't.
In regards to the authorization context and looking at the source, only the <saml:AuthnContextClassRef>
or <saml2:AuthnContextClassRef>
keys are checked in the SAML response. ADFS appears to use <AuthnContextClassRef>
, which is currently not being queried by GitLab. Therefore, the bypass two factor authentication function does not work as advertised for customers using ADFS for SAML authentication with GitLab.
Steps to reproduce
- Enable bypass 2 factor authentication
- Setup GitLab instance with SAML + ADFS as the IDP.
- Log into GitLab, complete authentication via ADFS and complete 2FA in ADFS.
- GitLab then asks for the user to complete its 2FA (it should not, and send the user to their dashboard instead)
What is the current bug behavior?
When using ADFS, it returns a SAML response containing an authorization context. GitLab fails to pick it up, so if the user completed 2FA on the ADFS end already, they are then asked by GitLab to complete the GitLab 2FA.
What is the expected correct behavior?
If the SAML response from ADFS contains an authorization context, GitLab should process it properly and not ask the user to complete GitLab 2FA if bypass two factor authentication is turned on.
Possible fixes
Update auth_hash.rb to include <AuthnContext>
and<AuthnContextClassRef>
in the check.