summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAchilleas Pipinellis <axilleas@axilleas.me>2016-01-15 23:54:02 +0000
committerAchilleas Pipinellis <axilleas@axilleas.me>2016-01-15 23:54:02 +0000
commit50984c13a25b59964c4f5416f9aa454a2251bc25 (patch)
tree403adc5736a8f8b3ef270b73182f1470a02aaca1
parent714ae482c1f211dab7e63cf4f679942d2bce8a77 (diff)
parentdb66b12b29ab2e210644ae5584402fe58c41bfa3 (diff)
downloadgitlab-ce-50984c13a25b59964c4f5416f9aa454a2251bc25.tar.gz
Merge branch 'saml-ts' into 'master'
Added advanced SAML troubleshooting /cc @dblessing @balameb See merge request !2456
-rw-r--r--doc/integration/saml.md16
1 files changed, 14 insertions, 2 deletions
diff --git a/doc/integration/saml.md b/doc/integration/saml.md
index 1632e42f701..8841dbdb7c6 100644
--- a/doc/integration/saml.md
+++ b/doc/integration/saml.md
@@ -78,6 +78,18 @@ On the sign in page there should now be a SAML button below the regular sign in
## Troubleshooting
-If you see a "500 error" in GitLab when you are redirected back from the SAML sign in page, this likely indicates that GitLab could not get the email address for the SAML user.
+If you see a "500 error" in GitLab when you are redirected back from the SAML sign in page,
+this likely indicates that GitLab could not get the email address for the SAML user.
-Make sure the IdP provides a claim containing the user's email address, using claim name 'email' or 'mail'. The email will be used to automatically generate the GitLab username. \ No newline at end of file
+Make sure the IdP provides a claim containing the user's email address, using claim name
+'email' or 'mail'. The email will be used to automatically generate the GitLab username.
+
+If after signing in into your SAML server you are redirected back to the sign in page and
+no error is displayed, check your `production.log` file. It will most likely contain the
+message `Can't verify CSRF token authenticity`. This means that there is an error during
+the SAML request, but this error never reaches GitLab due to the CSRF check.
+
+To bypass this you can add `skip_before_action :verify_authenticity_token` to the
+`omniauth_callbacks_controller.rb` file. This will allow the error to hit GitLab,
+where it can then be seen in the usual logs, or as a flash message in the login
+screen. \ No newline at end of file