Commit 86dc50d7 authored by Mike Jang's avatar Mike Jang

Merge branch 'arty-spt-186784' into 'master'

Add rails log searching tips and additional root cause

See merge request gitlab-org/gitlab!51815
parents eb1bbcb7 4fa2b7c4
......@@ -418,6 +418,11 @@ This can be prevented by configuring the [NameID](#nameid) to return a consisten
Ensure that the user who is trying to link their GitLab account has been added as a user within the identity provider's SAML app.
Alternatively, the SAML response may be missing the `InResponseTo` attribute in the
`samlp:Response` tag, which is [expected by the SAML gem](https://github.com/onelogin/ruby-saml/blob/9f710c5028b069bfab4b9e2b66891e0549765af5/lib/onelogin/ruby-saml/response.rb#L307-L316).
The [Identity Provider](#glossary) administrator should ensure that the login should be
initiated by the Service Provider (typically GitLab) and not the Identity Provider.
### Stuck in a login "loop"
Ensure that the **GitLab single sign-on URL** has been configured as "Login URL" (or similarly named field) in the identity provider's SAML app.
......@@ -446,3 +451,25 @@ However, self-managed GitLab instances use a configuration file that supports mo
Internally that uses the [`ruby-saml` library](https://github.com/onelogin/ruby-saml), so we sometimes check there to verify low level details of less commonly used options.
It can also help to compare the XML response from your provider with our [example XML used for internal testing](https://gitlab.com/gitlab-org/gitlab/blob/master/ee/spec/fixtures/saml/response.xml).
### Searching Rails log
With access to the rails log or `production_json.log` (available only to GitLab team members for GitLab.com),
you should be able to find the base64 encoded SAML response by searching with the following filters:
- `json.meta.caller_id`: `Groups::OmniauthCallbacksController#group_saml`
- `json.meta.user` or `json.username`: `username`
- `json.method`: `POST`
- `json.path`: `/groups/GROUP-PATH/-/saml/callback`
In a relevant log entry, the `json.params` should provide a valid response with:
- `"key": "SAMLResponse"` and the `"value": (full SAML response)`,
- `"key": "RelayState"` with `"value": "/group-path"`, and
- `"key": "group_id"` with `"value": "group-path"`.
In some cases, if the SAML response is lengthy, you may receive a `"key": "truncated"` with `"value":"..."`.
In these cases, please ask a group owner for a copy of the SAML response from when they select
the "Verify SAML Configuration" button on the group SSO Settings page.
Use a base64 decoder to see a human-readable version of the SAML response.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment