Merge branch 'dblessing_fix_multiple_group_saml_identities' into 'master'

Fix sign-in when user has multiple group saml identities

See merge request gitlab-org/gitlab!61717

ee/changelogs/unreleased/dblessing_fix_multiple_group_saml_identities.yml

+---
+title: Fix sign-in when user has multiple group saml identities
+merge_request: 61717
+author:
+type: fixed

ee/lib/gitlab/auth/group_saml/user.rb

@@ -83,9 +83,16 @@ module Gitlab
 
         override :add_or_update_user_identities
         def add_or_update_user_identities
-          super.tap do |identity|
-            identity.saml_provider_id = @saml_provider.id
-          end
+          return unless gl_user
+
+          identity = self.identity
+          # find_or_initialize_by doesn't update `gl_user.identities`, and isn't autosaved.
+          identity ||= gl_user.identities.find { |identity| identity.provider == auth_hash.provider && identity.saml_provider_id == @saml_provider.id }
+          identity ||= gl_user.identities.build(provider: auth_hash.provider, saml_provider: @saml_provider)
+
+          identity.extern_uid = auth_hash.uid
+
+          identity
         end
 
         def update_group_membership

ee/spec/lib/gitlab/auth/group_saml/user_spec.rb

@@ -57,6 +57,18 @@ RSpec.describe Gitlab::Auth::GroupSaml::User do
       it 'does not mark the user as provisioned' do
         expect(find_and_update.provisioned_by_group).to be_nil
       end
+
+      context 'when the user has multiple group saml identities' do
+        let(:saml_provider2) { create(:saml_provider) }
+
+        before do
+          create(:group_saml_identity, extern_uid: uid, saml_provider: saml_provider2, user: identity.user)
+        end
+
+        it 'returns the user' do
+          expect(find_and_update).to eq identity.user
+        end
+      end
     end
 
     context 'with no matching user identity' do