Users are sometimes asked to relink with exact same SAML response
Summary
One particular customer is being asked to link their SAML account, and the logs show that the ID is already taken. However, the SAML response is the same both when a user can sign in and when they can't.
As the NameID (SAML response in general) does not change and matches the identity listed in GitLab for each user, investigation is required to understand and resolve why users from this customer's group are often not correctly authenticated.
Steps to reproduce
Unknown
Example Project
See https://gitlab.zendesk.com/agent/tickets/210457 for details
Original reporter provided SAML traces for a successful and failed login attempt. Kibana links (internal):
- Successful: Correlation ID: 01F5GTF99472Y9ZWCV1DMGG1BX https://log.gprd.gitlab.net/app/discover#/doc/7092c4e2-4eb5-46f2-8305-a7da2edad090/pubsub-rails-inf-gprd-005033?id=MOanYXkB3kEf0Ykg_N9T
- Failed: Correlation ID: 01F5GTK35CA6AWBEQEXS645WTR https://log.gprd.gitlab.net/app/discover#/doc/7092c4e2-4eb5-46f2-8305-a7da2edad090/pubsub-rails-inf-gprd-005033?id=dPWqYXkBAc9M3SrLNAlc
What is the current bug behavior?
Users are often asked to relink their account, requiring direct sign in, unlink, and relinking of identity.
What is the expected correct behavior?
Signed in and redirect to group page or page they were trying to visit.
Relevant logs and/or screenshots
Kibana: https://log.gprd.gitlab.net/goto/1c5af7d2c9819f5eb341aa800621867d
(GroupSaml Provider #69) Error saving user <redacted ID> ():
followed by one of the two:
Error saving user <extern uid> (): ["Identities extern uid has already been taken", "Identities user has already been taken"]
Error saving user <extern uid> (): ["Email can't be blank", "Notification email can't be blank"]
Output of checks
GitLab.com, GitLab Enterprise Edition 13.12.0-pre c82d065f