Hello,
I am working for several days on Gitlab integration with ADFS.
I have read this [documentation](
http://doc.gitlab.com/ce/integration/saml.html) and here is my Gitlab settings :
external_url 'https://git-pr01.domain.be'
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
args: {
assertion_consumer_service_url: 'https://git-pr01.domain.be/users/auth/saml/callback',
idp_cert_fingerprint: '76:63:cd:51:2c:87:fd:d6:84:8d:cb:90:d5:ec:cd:6d:bf:3c:eb:2a',
idp_sso_target_url: 'https://fs.domain.be/adfs/ls',
issuer: 'https://git-pr01.domain.be',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
},
label: 'SSO login' # optional label for SAML login button, defaults to "Saml"
}
]
I used this metadata XML file to set up the Relying Party Trust :
https://git-pr01.domain.be/users/auth/saml/metadataBut I don't know what Claim rules add in ADFS.
Does anyone have already linked Gitlab with ADFS for SSO authentication ?
Here is the error :
The SAML authentication request had a NameID Policy that could not be satisfied.
Requestor: https://gitlab.domain.test
Name identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
SPNameQualifier:
Exception details:
MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: . Actual NameID properties: Format: , NameQualifier: SPNameQualifier: , SPProvidedId: .
This request failed.
User Action
Use the AD FS Management snap-in to configure the configuration that emits the required name identifier.
Could you help me please ?
Thanks a lot in advance