SAML Authentication documentation shouldn't recommend transient name identifier
Summary
As Transient name identifier should be used only when not storing the identifier itself and GitLab is doing so, all subsequent logins after initial login will fail with provided logs.
Details can be read in SAML 2.0 specification in section 8.3.7/8.3.8.
Steps to reproduce
Enable SAML2 integration as described in doc/integration/saml.md, don't forget to use urn:oasis:names:tc:SAML:2.0:nameid-format:transient as identifier. Initial login succeeds, subsequent logins will fail with provided message.
What is the current bug behavior?
Transient name identifier is recommended in official documentation.
What is the expected correct behavior?
Persistent name identifier is recommended in official documentation (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
Relevant logs and/or screenshots
Started GET "/users/auth/saml/omniauth_error?error=Identities+user+has+already+been+taken" for <IP> at 2017-02-24 09:07:14 +0200
Processing by OmniauthCallbacksController#omniauth_error as HTML
Parameters: {"error"=>"Identities user has already been taken", "provider"=>"saml"}
Completed 422 Unprocessable Entity in 20ms (Views: 1.0ms | ActiveRecord: 1.9ms)
Possible fixes
Fix the documentation at doc/integration/saml.md