Eirik,
My team just had a similar issue, and ran into this. We put the setting you
mentioned and it seems to have fixed the issue. Still doing investigation
on our end to confirm but thanks for the info!!!
On Wednesday, September 30, 2015 at 12:11:49 PM UTC-5, Eirik Lygre wrote:
>
> We have been having the same problem, intermittently. In our case, it
> seems like there is some (minescule) clock drift between the gitlab server
> and the Microsoft ADFS-server.
>
> The problem seems to have been solved (though we are still testing!) by
> adding an "allowed_clock_drift" option to the gitlab.rg:
>
> gitlab_rails['omniauth_providers'] = [
> {
> "name" => "saml",
> args: {
> allowed_clock_drift: 5, # 5 seconds
> issuer: 'https://gitlab.example.com'
> ...
>
> It will be nice to hear if this solves the problem; if so, there should
> probably be a documentation update.
>
> Eirik
>
>
> On Monday, September 21, 2015 at 6:13:52 PM UTC+2, Michael wrote:
>>
>> I'm trying to understand what is wrong with my GitLab SAML authentication
>> configuration. I get redirected back with error "Retry Later" with url:
>> https://hostname.com/users/auth/saml/callback
>>
>> Any information on settings inside ADFS that work for others, is much
>> appreciated or if you notice anything wrong with my configuration, thanks.
>>
>> I have the following logs:
>>
>> /etc/gitlab/gitlab.rb
>> # HTTPS is enabled
>> external_url 'https://hostname.com'
>> gitlab_rails['omniauth_enabled'] = true
>> gitlab_rails['omniauth_allow_single_sign_on'] = true
>> gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
>> gitlab_rails['omniauth_block_auto_created_users'] = false
>> gitlab_rails['omniauth_providers'] = [
>> {
>> "name" => "saml",
>> "args" => { assertion_consumer_server_url: '
>> https://hostname.com/users/auth/saml/callback
>> <http://hostname.com/users/auth/saml/callback>',
>> idp_cert_fingerprint:
>> '8e:ee:0a:3b:57:96:18:e9:5e:5d:5b:1a:1b:90:65:38:f6:18:6a:0c',
>> idp_sso_target_url: 'http:///idp.com/adfs/ls',
>> debug: 'true',
>> issuer: 'https://hostname.com',
>> name_identifier_format:
>> 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
>> }
>> }
>> ]
>>
>>
>>
>> /var/log/gitlab/gitlab-rails/production.log
>> Started GET "/users/sign_in" for 127.0.0.1 at 2015-09-21 10:53:03 -0500
>> Processing by SessionsController#new as HTML
>> Completed 200 OK in 131ms (Views: 69.8ms | ActiveRecord: 3.6ms)
>> Started POST "/users/auth/saml" for 127.0.0.1 at 2015-09-21 10:53:14 -0500
>>
>>
>>
>>
>> Started POST "/users/auth/saml/callback" for 127.0.0.1 at 2015-09-21
>> 10:53:27 -0500
>> Processing by OmniauthCallbacksController#failure as HTML
>> Parameters:
>> {"SAMLResponse"=>"PHNhbWxwOlJlc3BvbnNlIElEPSJfMTYzZGJhNzEtYzI1NS00MDNhLThjMWEtNTBmNTRhYjcwNWI0IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNS0wOS0yMVQxNTo1NDowOS42NzNaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9naXQuY3Muc2l1LmVkdS91c2Vycy9hdXRoL3NhbWwvY2FsbGJhY2siIENvbnNlbnQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjb25zZW50OnVuc3BlY2lmaWVkIiBJblJlc3BvbnNlVG89Il9jYWRhZWY2MC00MmE2LTAxMzMtMzkwMi0wMDFlYzkzZGJhYjciIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9zdHMuc2l1LmVkdS9hZGZzL3NlcnZpY2VzL3RydXN0PC9Jc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIC8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIgLz48ZHM6UmVmZXJlbmNlIFVSST0iI18xNjNkYmE3MS1jMjU1LTQwM2EtOGMxYS01MGY1NGFiNzA1YjQiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIgLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiIC8+PGRzOkRpZ2VzdFZhbHVlPlZaemVZSCtiRGs2ejkwTnczT1Q5RjBud1crMD08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+RnV6NWVmdmVvSEIxQzlYbHh0bU1rditXS2RYdXhIcE54anUxK0tVTkk0UDFhN09ZSVI5dVZDVEZGbmY1TlpLWEFzUGtrTTVrRFhRTVJZQXdGYndHeG5VSnVUMzlZUWtRSVE2VFdneFJWUnZWcTF4a1BldWN4c3ZJMWtkdWpZNmc1VDM5Tkt1c0N6UjR5dHVOMlIyWjJWT3NZdHVHTGVxRXFHM1M1Z0p3OFlCcVA3MEN4STQrcWF5ZHZDR1ptVWxZaFVyM1AxODFuN0pBRGxZTHQvZFBiMWhRMEhtQUNRYU1CUmRnTFpvVll0a1NRUEZYRTBYbDd1eUtmdTRTMVNreXdsM0pkMVpGa1Uyb2h6bVVqbk1ma0VPSCtDdWcvMEpJM2I3NVBpbGI5VXA2eDQrMG5ORmRmUFN3dmNVTkt1ZVdsRkRVZElSWkRuM2VmSktueUhyNW9nPT08L2RzOlNpZ25hdHVyZVZhbHVlPjxLZXlJbmZvIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDMGpDQ0FicWdBd0lCQWdJUUlZZ0dkdUNoNmI1TkUzSXRnVko3cERBTkJna3Foa2lHOXcwQkFRc0ZBREFsTVNNd0lRWURWUVFERXhwQlJFWlRJRk5wWjI1cGJtY2dMU0J6ZEhNdWMybDFMbVZrZFRBZUZ3MHhOVEF5TURZd05EVXhNakJhRncweU1EQXlNRFV3TkRVeE1qQmFNQ1V4SXpBaEJnTlZCQU1UR2tGRVJsTWdVMmxuYm1sdVp5QXRJSE4wY3k1emFYVXVaV1IxTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFreG1YMWNnMytVVnIrVTRVOVpwWXZyT3lNa3MwZjVTTWpxdDFxZzUxQm5MeTVESjBlMDJkTmhXeHlDQW9JVHhyb2NYZXpQQ0hlaVg0QWh1YS9adWdpVWMwU2JzdmpLNDM3cjkyVnBDckVPaXlvcm5iWER3N1g5N2Z4VWxoZi83Y0g5c0txeHVRR2ZCaVZBa2dDT29zUWFYWUFLZ1RsZ0NUcTczZjZIOWNhRjI0UVhEa2djYThBZU1NZ2hxMFhPelcwejZraDhBci9IUm55bW8yYkZLM3pNdjNhbmJ1Y2syMjAvSlJFaG5vMzU1bGs1UE8rOFArbzE2amZJRG9JYW1JRWdLbm44TVU1L1lsNVRaTEd2QUN1TTZKQmNkRDdYcEJsWE9QazZPK0twSmduU25zRVJvMkw3SGxSR1g3Ymg1WktBK213N2RuNjI3ZXAzUUF2UTN2d1FJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFpMjl6bDB1Mi9aaGk5RjJQTkYzaHdQTzVuT3pWOTNjNS85VDk0cVk4c3htbVNJcWJWcHZrdmgvcncycEpkYThuOU1hYU9ZYjd6SnlzTStvRVAvU2Z4QW5aQnRkRHJYcTZMWjhRVUlkcEpwODZqRVB5Wk5CQXhaS3l0OWJ0eXpZQzRkVXFqNHp1cGdHanlSRE5CMm92bFY2VndaaThoRUdJcGdiNVVwZFl1UVhLOW5QNEI1cklxYU9tS3JwaE9KaDhFTjZ5dHBIVHFEOC8wZWdHVjM4QWhiUTVIcnIvZXk5NHg5VFg4K3l1ZE1VelU0WXVRcUoxMXd3UTBUNktWOURTaE4rTDd0QkxyeDRldmI1WHo3NDlTM3JzOWk3clU3Um5BMkJMUERpTndCL1lxRGlOWWN2elRrZndVQi96bEJlOTNqdi9TK1NVK3BzV3FTN1BLdHBPaTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9LZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6UmVxdWVzdGVyIj48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpJbnZhbGlkTmFtZUlEUG9saWN5IiAvPjwvc2FtbHA6U3RhdHVzQ29kZT48L3NhbWxwOlN0YXR1cz48L3NhbWxwOlJlc3BvbnNlPg=="}
>> Can't verify CSRF token authenticity
>> Redirected to https://hostname.com/users/sign_in
>> Completed 302 Found in 21ms (ActiveRecord: 2.1ms)
>> Started GET "/users/sign_in" for 127.0.0.1 at 2015-09-21 10:53:27 -0500
>> Processing by SessionsController#new as HTML
>> Redirected to https://hostname.com/users/auth/saml
>> Filter chain halted as :auto_sign_in_with_provider rendered or redirected
>> Completed 302 Found in 14ms (ActiveRecord: 2.0ms)
>> Started GET "/users/auth/saml" for 127.0.0.1 at 2015-09-21 10:53:27 -0500
>> Started POST "/users/auth/saml/callback" for 127.0.0.1 at 2015-09-21
>> 10:53:27 -0500
>> Processing by OmniauthCallbacksController#failure as HTML
>> Parameters:
>> {"SAMLResponse"=>"PHNhbWxwOlJlc3BvbnNlIElEPSJfMDRiYjY2ZjEtMGQzMy00YjY2LTgyYzgtZDZlYmY3YWE1ZjBkIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNS0wOS0yMVQxNTo1NDowOS44NDVaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9naXQuY3Muc2l1LmVkdS91c2Vycy9hdXRoL3NhbWwvY2FsbGJhY2siIENvbnNlbnQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjb25zZW50OnVuc3BlY2lmaWVkIiBJblJlc3BvbnNlVG89Il9kMmIxMGJhMC00MmE2LTAxMzMtMzkwMy0wMDFlYzkzZGJhYjciIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9zdHMuc2l1LmVkdS9hZGZzL3NlcnZpY2VzL3RydXN0PC9Jc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIC8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIgLz48ZHM6UmVmZXJlbmNlIFVSST0iI18wNGJiNjZmMS0wZDMzLTRiNjYtODJjOC1kNmViZjdhYTVmMGQiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIgLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiIC8+PGRzOkRpZ2VzdFZhbHVlPkk5Q0k4OGF2WmRIR0JDZlQxQjZOZ25BZS8vRT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+VkZ6VnNQd1Z6STU1Yk02enpZYUhJbDh3cUdIZElJWXVkVlk4U29PMm9ScXpadGdtTjl0emU5c3BrQVhjYXNZaGhmZDlVcXF4TTJrb1BSeG53eWwvVE1zdFFWYmtDYlRFOTVBL3hGMXFOWE5XYWRHTnhJNDZFSHEwQUdxTkIwV04raGJPUExneXZEMXdLck90VW5CS1JETUYyclVQcld0QVFBUjJpUTNhMmhtM2w5WEc0WkpyUnIySHBTVUhrcWJCeGZCMlFha2hwRVE5YzI4azBsVGpwQmJFUWpWRW1ORTFyNGtiU1M2Z0dQWDZVUmlBZVZnV2lwb1AyYi94Z0dzNnBaMVNlLzJoZTg1cUtvNlcvZERCbm82ZE80WFFYNWhuU1E4SjhtZmdVQ3lnWFNNT0lxQkRqRzN5Y3ZXZnd5SXQ3OTVLczhFSXBVeURseFI5TVVkWFJnPT08L2RzOlNpZ25hdHVyZVZhbHVlPjxLZXlJbmZvIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDMGpDQ0FicWdBd0lCQWdJUUlZZ0dkdUNoNmI1TkUzSXRnVko3cERBTkJna3Foa2lHOXcwQkFRc0ZBREFsTVNNd0lRWURWUVFERXhwQlJFWlRJRk5wWjI1cGJtY2dMU0J6ZEhNdWMybDFMbVZrZFRBZUZ3MHhOVEF5TURZd05EVXhNakJhRncweU1EQXlNRFV3TkRVeE1qQmFNQ1V4SXpBaEJnTlZCQU1UR2tGRVJsTWdVMmxuYm1sdVp5QXRJSE4wY3k1emFYVXVaV1IxTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFreG1YMWNnMytVVnIrVTRVOVpwWXZyT3lNa3MwZjVTTWpxdDFxZzUxQm5MeTVESjBlMDJkTmhXeHlDQW9JVHhyb2NYZXpQQ0hlaVg0QWh1YS9adWdpVWMwU2JzdmpLNDM3cjkyVnBDckVPaXlvcm5iWER3N1g5N2Z4VWxoZi83Y0g5c0txeHVRR2ZCaVZBa2dDT29zUWFYWUFLZ1RsZ0NUcTczZjZIOWNhRjI0UVhEa2djYThBZU1NZ2hxMFhPelcwejZraDhBci9IUm55bW8yYkZLM3pNdjNhbmJ1Y2syMjAvSlJFaG5vMzU1bGs1UE8rOFArbzE2amZJRG9JYW1JRWdLbm44TVU1L1lsNVRaTEd2QUN1TTZKQmNkRDdYcEJsWE9QazZPK0twSmduU25zRVJvMkw3SGxSR1g3Ymg1WktBK213N2RuNjI3ZXAzUUF2UTN2d1FJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFpMjl6bDB1Mi9aaGk5RjJQTkYzaHdQTzVuT3pWOTNjNS85VDk0cVk4c3htbVNJcWJWcHZrdmgvcncycEpkYThuOU1hYU9ZYjd6SnlzTStvRVAvU2Z4QW5aQnRkRHJYcTZMWjhRVUlkcEpwODZqRVB5Wk5CQXhaS3l0OWJ0eXpZQzRkVXFqNHp1cGdHanlSRE5CMm92bFY2VndaaThoRUdJcGdiNVVwZFl1UVhLOW5QNEI1cklxYU9tS3JwaE9KaDhFTjZ5dHBIVHFEOC8wZWdHVjM4QWhiUTVIcnIvZXk5NHg5VFg4K3l1ZE1VelU0WXVRcUoxMXd3UTBUNktWOURTaE4rTDd0QkxyeDRldmI1WHo3NDlTM3JzOWk3clU3Um5BMkJMUERpTndCL1lxRGlOWWN2elRrZndVQi96bEJlOTNqdi9TK1NVK3BzV3FTN1BLdHBPaTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9LZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6UmVxdWVzdGVyIj48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpJbnZhbGlkTmFtZUlEUG9saWN5IiAvPjwvc2FtbHA6U3RhdHVzQ29kZT48L3NhbWxwOlN0YXR1cz48L3NhbWxwOlJlc3BvbnNlPg=="}
>> Can't verify CSRF token authenticity
>> Redirected to https://hostname.com/users/sign_in
>> Completed 302 Found in 14ms (ActiveRecord: 2.0ms)
>> Started GET "/users/sign_in" for 127.0.0.1 at 2015-09-21 10:53:28 -0500
>> Processing by SessionsController#new as HTML
>> Redirected to https://hostname.com/users/auth/saml
>> Filter chain halted as :auto_sign_in_with_provider rendered or redirected
>> Completed 302 Found in 13ms (ActiveRecord: 2.0ms)
>> Started GET "/users/auth/saml" for 127.0.0.1 at 2015-09-21 10:53:28 -0500
>> Started POST "/users/auth/saml/callback" for 127.0.0.1 at 2015-09-21
>> 10:53:28 -0500
>> Processing by OmniauthCallbacksController#failure as HTML
>>
>
--
You received this message because you are subscribed to the Google Groups
"GitLab" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to gitlabhq+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/gitlabhq/0f54ae9c-264e-4270-b519-e70c9112c81e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
