Kerberos Spnego sign-in does not create an identity for the user when `allow_single_sign_on` is set
Summary
Kerberos Spnego sign-in does not create an identity for the user when allow_single_sign_on
is set.
Steps to reproduce
- Setup Keberos on GDK following the instructions here.
- Ensure that
allow_single_sign_on: ["kerberos"]
is set in yourgitlab.yml
file. (Its worth noting here that we have an inconsistency between usingkerberos
andkerberos_spnego
currently. See this issue). I have also tried settingallow_single_sign_on: ["kerberos_spnego"]
which also doesn't work. - Create a user in GitLab with the username (say)
user
- Generate a ticket granting ticket (TGT) by running
kinit user@GDK.TEST
on your local. - Try logging in to gitlab with the "Kerberos Spnego" SSO button. You will see "Signing in using your Kerberos account without a pre-existing GitLab account is not allowed. Create a GitLab account first, and then connect it to your Kerberos account."
- Now, if you go to rails console and create an identity for this user manually with
Identity.create(user: User.find_by(username: 'user'), extern_uid: 'user@GDK.TEST', provider: 'kerberos')
, you will be able to login.
The identity should have been created automatically.
If the step 3 (manually creating a user )is skipped, the user should be created on first time clicking the "Kerberos Spnego" SSO button but the same error as above is shown.
Also, I want to mention here that I was only able to successfully login (after manually creating the identity manually) on Safari only. On Firefox and Google Chrome, I see a 401:
Example Project
What is the current bug behavior?
A kerberos
(or kerberos_spengo
) identity for the user is not automatically created.
What is the expected correct behavior?
A kerberos
(or kerberos_spengo
) identity for the user should be automatically created
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Proxy: rvm_proxy: Current User: sanadliaquat Using RVM: yes RVM Version: 1.29.12 Ruby Version: 2.7.4p191 Gem Version: 3.1.6 Bundler Version:2.1.4 Rake Version: 13.0.6 Redis Version: 6.2.5 Git Version: 2.33.1 Sidekiq Version:6.2.2 Go Version: go1.17 darwin/amd64 GitLab information Version: 14.4.0-pre Revision: 6aeac47202f Directory: /Users/sanadliaquat/work/gitlab/gdk-ee/gitlab DB Adapter: PostgreSQL DB Version: 12.8 URL: http://gdk.test:3000 HTTP Clone URL: http://gdk.test:3000/some-group/some-project.git SSH Clone URL: ssh://git@gdk.test:2222/some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: no Using Omniauth: yes Omniauth Providers: google_oauth2, kerberos_spnego GitLab Shell Version: 13.21.1 Repository storage paths: - default: /Users/sanadliaquat/work/gitlab/gdk-ee/repositories GitLab Shell path: /Users/sanadliaquat/work/gitlab/gdk-ee/gitlab-shell Git: /usr/local/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)