I'm trying to understand what is wrong with my GitLab SAML authentication configuration. I get redirected back with error "Retry Later" with url: https://hostname.com/users/auth/saml/callback
Any information on settings inside ADFS that work for others, is much appreciated or if you notice anything wrong with my configuration, thanks. I have the following logs: /etc/gitlab/gitlab.rb # HTTPS is enabled external_url 'https://hostname.com' gitlab_rails['omniauth_enabled'] = true gitlab_rails['omniauth_allow_single_sign_on'] = true gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml' gitlab_rails['omniauth_block_auto_created_users'] = false gitlab_rails['omniauth_providers'] = [ { "name" => "saml", "args" => { assertion_consumer_server_url: ' https://hostname.com/users/auth/saml/callback <http://hostname.com/users/auth/saml/callback>', idp_cert_fingerprint: '8e:ee:0a:3b:57:96:18:e9:5e:5d:5b:1a:1b:90:65:38:f6:18:6a:0c', idp_sso_target_url: 'http:///idp.com/adfs/ls', debug: 'true', issuer: 'https://hostname.com', name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' } } ] /var/log/gitlab/gitlab-rails/production.log Started GET "/users/sign_in" for 127.0.0.1 at 2015-09-21 10:53:03 -0500 Processing by SessionsController#new as HTML Completed 200 OK in 131ms (Views: 69.8ms | ActiveRecord: 3.6ms) Started POST "/users/auth/saml" for 127.0.0.1 at 2015-09-21 10:53:14 -0500 Started POST "/users/auth/saml/callback" for 127.0.0.1 at 2015-09-21 10:53:27 -0500 Processing by OmniauthCallbacksController#failure as HTML Parameters: {"SAMLResponse"=>"PHNhbWxwOlJlc3BvbnNlIElEPSJfMTYzZGJhNzEtYzI1NS00MDNhLThjMWEtNTBmNTRhYjcwNWI0IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNS0wOS0yMVQxNTo1NDowOS42NzNaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9naXQuY3Muc2l1LmVkdS91c2Vycy9hdXRoL3NhbWwvY2FsbGJhY2siIENvbnNlbnQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjb25zZW50OnVuc3BlY2lmaWVkIiBJblJlc3BvbnNlVG89Il9jYWRhZWY2MC00MmE2LTAxMzMtMzkwMi0wMDFlYzkzZGJhYjciIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9zdHMuc2l1LmVkdS9hZGZzL3NlcnZpY2VzL3RydXN0PC9Jc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIC8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIgLz48ZHM6UmVmZXJlbmNlIFVSST0iI18xNjNkYmE3MS1jMjU1LTQwM2EtOGMxYS01MGY1NGFiNzA1YjQiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIgLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiIC8+PGRzOkRpZ2VzdFZhbHVlPlZaemVZSCtiRGs2ejkwTnczT1Q5RjBud1crMD08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+RnV6NWVmdmVvSEIxQzlYbHh0bU1rditXS2RYdXhIcE54anUxK0tVTkk0UDFhN09ZSVI5dVZDVEZGbmY1TlpLWEFzUGtrTTVrRFhRTVJZQXdGYndHeG5VSnVUMzlZUWtRSVE2VFdneFJWUnZWcTF4a1BldWN4c3ZJMWtkdWpZNmc1VDM5Tkt1c0N6UjR5dHVOMlIyWjJWT3NZdHVHTGVxRXFHM1M1Z0p3OFlCcVA3MEN4STQrcWF5ZHZDR1ptVWxZaFVyM1AxODFuN0pBRGxZTHQvZFBiMWhRMEhtQUNRYU1CUmRnTFpvVll0a1NRUEZYRTBYbDd1eUtmdTRTMVNreXdsM0pkMVpGa1Uyb2h6bVVqbk1ma0VPSCtDdWcvMEpJM2I3NVBpbGI5VXA2eDQrMG5ORmRmUFN3dmNVTkt1ZVdsRkRVZElSWkRuM2VmSktueUhyNW9nPT08L2RzOlNpZ25hdHVyZVZhbHVlPjxLZXlJbmZvIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDMGpDQ0FicWdBd0lCQWdJUUlZZ0dkdUNoNmI1TkUzSXRnVko3cERBTkJna3Foa2lHOXcwQkFRc0ZBREFsTVNNd0lRWURWUVFERXhwQlJFWlRJRk5wWjI1cGJtY2dMU0J6ZEhNdWMybDFMbVZrZFRBZUZ3MHhOVEF5TURZd05EVXhNakJhRncweU1EQXlNRFV3TkRVeE1qQmFNQ1V4SXpBaEJnTlZCQU1UR2tGRVJsTWdVMmxuYm1sdVp5QXRJSE4wY3k1emFYVXVaV1IxTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFreG1YMWNnMytVVnIrVTRVOVpwWXZyT3lNa3MwZjVTTWpxdDFxZzUxQm5MeTVESjBlMDJkTmhXeHlDQW9JVHhyb2NYZXpQQ0hlaVg0QWh1YS9adWdpVWMwU2JzdmpLNDM3cjkyVnBDckVPaXlvcm5iWER3N1g5N2Z4VWxoZi83Y0g5c0txeHVRR2ZCaVZBa2dDT29zUWFYWUFLZ1RsZ0NUcTczZjZIOWNhRjI0UVhEa2djYThBZU1NZ2hxMFhPelcwejZraDhBci9IUm55bW8yYkZLM3pNdjNhbmJ1Y2syMjAvSlJFaG5vMzU1bGs1UE8rOFArbzE2amZJRG9JYW1JRWdLbm44TVU1L1lsNVRaTEd2QUN1TTZKQmNkRDdYcEJsWE9QazZPK0twSmduU25zRVJvMkw3SGxSR1g3Ymg1WktBK213N2RuNjI3ZXAzUUF2UTN2d1FJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFpMjl6bDB1Mi9aaGk5RjJQTkYzaHdQTzVuT3pWOTNjNS85VDk0cVk4c3htbVNJcWJWcHZrdmgvcncycEpkYThuOU1hYU9ZYjd6SnlzTStvRVAvU2Z4QW5aQnRkRHJYcTZMWjhRVUlkcEpwODZqRVB5Wk5CQXhaS3l0OWJ0eXpZQzRkVXFqNHp1cGdHanlSRE5CMm92bFY2VndaaThoRUdJcGdiNVVwZFl1UVhLOW5QNEI1cklxYU9tS3JwaE9KaDhFTjZ5dHBIVHFEOC8wZWdHVjM4QWhiUTVIcnIvZXk5NHg5VFg4K3l1ZE1VelU0WXVRcUoxMXd3UTBUNktWOURTaE4rTDd0QkxyeDRldmI1WHo3NDlTM3JzOWk3clU3Um5BMkJMUERpTndCL1lxRGlOWWN2elRrZndVQi96bEJlOTNqdi9TK1NVK3BzV3FTN1BLdHBPaTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9LZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6UmVxdWVzdGVyIj48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpJbnZhbGlkTmFtZUlEUG9saWN5IiAvPjwvc2FtbHA6U3RhdHVzQ29kZT48L3NhbWxwOlN0YXR1cz48L3NhbWxwOlJlc3BvbnNlPg=="} Can't verify CSRF token authenticity Redirected to https://hostname.com/users/sign_in Completed 302 Found in 21ms (ActiveRecord: 2.1ms) Started GET "/users/sign_in" for 127.0.0.1 at 2015-09-21 10:53:27 -0500 Processing by SessionsController#new as HTML Redirected to https://hostname.com/users/auth/saml Filter chain halted as :auto_sign_in_with_provider rendered or redirected Completed 302 Found in 14ms (ActiveRecord: 2.0ms) Started GET "/users/auth/saml" for 127.0.0.1 at 2015-09-21 10:53:27 -0500 Started POST "/users/auth/saml/callback" for 127.0.0.1 at 2015-09-21 10:53:27 -0500 Processing by OmniauthCallbacksController#failure as HTML Parameters: {"SAMLResponse"=>"PHNhbWxwOlJlc3BvbnNlIElEPSJfMDRiYjY2ZjEtMGQzMy00YjY2LTgyYzgtZDZlYmY3YWE1ZjBkIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNS0wOS0yMVQxNTo1NDowOS44NDVaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9naXQuY3Muc2l1LmVkdS91c2Vycy9hdXRoL3NhbWwvY2FsbGJhY2siIENvbnNlbnQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjb25zZW50OnVuc3BlY2lmaWVkIiBJblJlc3BvbnNlVG89Il9kMmIxMGJhMC00MmE2LTAxMzMtMzkwMy0wMDFlYzkzZGJhYjciIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9zdHMuc2l1LmVkdS9hZGZzL3NlcnZpY2VzL3RydXN0PC9Jc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIC8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIgLz48ZHM6UmVmZXJlbmNlIFVSST0iI18wNGJiNjZmMS0wZDMzLTRiNjYtODJjOC1kNmViZjdhYTVmMGQiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIgLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiIC8+PGRzOkRpZ2VzdFZhbHVlPkk5Q0k4OGF2WmRIR0JDZlQxQjZOZ25BZS8vRT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+VkZ6VnNQd1Z6STU1Yk02enpZYUhJbDh3cUdIZElJWXVkVlk4U29PMm9ScXpadGdtTjl0emU5c3BrQVhjYXNZaGhmZDlVcXF4TTJrb1BSeG53eWwvVE1zdFFWYmtDYlRFOTVBL3hGMXFOWE5XYWRHTnhJNDZFSHEwQUdxTkIwV04raGJPUExneXZEMXdLck90VW5CS1JETUYyclVQcld0QVFBUjJpUTNhMmhtM2w5WEc0WkpyUnIySHBTVUhrcWJCeGZCMlFha2hwRVE5YzI4azBsVGpwQmJFUWpWRW1ORTFyNGtiU1M2Z0dQWDZVUmlBZVZnV2lwb1AyYi94Z0dzNnBaMVNlLzJoZTg1cUtvNlcvZERCbm82ZE80WFFYNWhuU1E4SjhtZmdVQ3lnWFNNT0lxQkRqRzN5Y3ZXZnd5SXQ3OTVLczhFSXBVeURseFI5TVVkWFJnPT08L2RzOlNpZ25hdHVyZVZhbHVlPjxLZXlJbmZvIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDMGpDQ0FicWdBd0lCQWdJUUlZZ0dkdUNoNmI1TkUzSXRnVko3cERBTkJna3Foa2lHOXcwQkFRc0ZBREFsTVNNd0lRWURWUVFERXhwQlJFWlRJRk5wWjI1cGJtY2dMU0J6ZEhNdWMybDFMbVZrZFRBZUZ3MHhOVEF5TURZd05EVXhNakJhRncweU1EQXlNRFV3TkRVeE1qQmFNQ1V4SXpBaEJnTlZCQU1UR2tGRVJsTWdVMmxuYm1sdVp5QXRJSE4wY3k1emFYVXVaV1IxTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFreG1YMWNnMytVVnIrVTRVOVpwWXZyT3lNa3MwZjVTTWpxdDFxZzUxQm5MeTVESjBlMDJkTmhXeHlDQW9JVHhyb2NYZXpQQ0hlaVg0QWh1YS9adWdpVWMwU2JzdmpLNDM3cjkyVnBDckVPaXlvcm5iWER3N1g5N2Z4VWxoZi83Y0g5c0txeHVRR2ZCaVZBa2dDT29zUWFYWUFLZ1RsZ0NUcTczZjZIOWNhRjI0UVhEa2djYThBZU1NZ2hxMFhPelcwejZraDhBci9IUm55bW8yYkZLM3pNdjNhbmJ1Y2syMjAvSlJFaG5vMzU1bGs1UE8rOFArbzE2amZJRG9JYW1JRWdLbm44TVU1L1lsNVRaTEd2QUN1TTZKQmNkRDdYcEJsWE9QazZPK0twSmduU25zRVJvMkw3SGxSR1g3Ymg1WktBK213N2RuNjI3ZXAzUUF2UTN2d1FJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFpMjl6bDB1Mi9aaGk5RjJQTkYzaHdQTzVuT3pWOTNjNS85VDk0cVk4c3htbVNJcWJWcHZrdmgvcncycEpkYThuOU1hYU9ZYjd6SnlzTStvRVAvU2Z4QW5aQnRkRHJYcTZMWjhRVUlkcEpwODZqRVB5Wk5CQXhaS3l0OWJ0eXpZQzRkVXFqNHp1cGdHanlSRE5CMm92bFY2VndaaThoRUdJcGdiNVVwZFl1UVhLOW5QNEI1cklxYU9tS3JwaE9KaDhFTjZ5dHBIVHFEOC8wZWdHVjM4QWhiUTVIcnIvZXk5NHg5VFg4K3l1ZE1VelU0WXVRcUoxMXd3UTBUNktWOURTaE4rTDd0QkxyeDRldmI1WHo3NDlTM3JzOWk3clU3Um5BMkJMUERpTndCL1lxRGlOWWN2elRrZndVQi96bEJlOTNqdi9TK1NVK3BzV3FTN1BLdHBPaTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9LZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6UmVxdWVzdGVyIj48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpJbnZhbGlkTmFtZUlEUG9saWN5IiAvPjwvc2FtbHA6U3RhdHVzQ29kZT48L3NhbWxwOlN0YXR1cz48L3NhbWxwOlJlc3BvbnNlPg=="} Can't verify CSRF token authenticity Redirected to https://hostname.com/users/sign_in Completed 302 Found in 14ms (ActiveRecord: 2.0ms) Started GET "/users/sign_in" for 127.0.0.1 at 2015-09-21 10:53:28 -0500 Processing by SessionsController#new as HTML Redirected to https://hostname.com/users/auth/saml Filter chain halted as :auto_sign_in_with_provider rendered or redirected Completed 302 Found in 13ms (ActiveRecord: 2.0ms) Started GET "/users/auth/saml" for 127.0.0.1 at 2015-09-21 10:53:28 -0500 Started POST "/users/auth/saml/callback" for 127.0.0.1 at 2015-09-21 10:53:28 -0500 Processing by OmniauthCallbacksController#failure as HTML -- You received this message because you are subscribed to the Google Groups "GitLab" group. To unsubscribe from this group and stop receiving emails from it, send an email to gitlabhq+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/gitlabhq/cb1c2d5c-0066-4956-8aa5-3575a7687fc7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
