• Backups
• Cox home network facts
• Dotfiles
  • Neovim's Lazy.vim
  • Zsh
    • OS Detection
    • Parsing options
    • Startup performance
• Email
  • Running sieve locally
  • Sieve
• Fun Holidays
• Gaming
  • Mobile Games
• Gaming PC Hardware
• Gitlab
  • Automatically adding UptimeRobot to Gitlab's monitoring whitelist with ansible
  • Caching CI stuff with Minio
  • Fixing SAML association for a Gitlab user
  • Having a little fun with Gitlab's join date
• Good RFC
• Homelab
  • AUR Repo
  • Bootstrap
    • (NAS) Garage S3
    • Dedicated Server
    • IOFlood (Netherite)
    • Soft Serve
    • Synology NAS
    • ntfy.sh
  • Step-CA
  • Tech Stack
  • VLANs
• IPv6
• Kubernetes
  • Get Root CA
  • New SSH Fingerprints to Flux
  • Talos OIDC setup
• Linux
  • Backups
  • Desktop Customization
  • Disabling WiFi
  • Getting disk serial number
  • Monitoring
  • Non-root users can ping
  • Pacman hooks
  • PowerDNS administration
  • Reboot Criteria
  • Systemd version via DBus
  • Text-to-speech locally
• MacOS
  • Local backups
• Meta - Digital Garden
• Meta - Test Page
• OpenID Connect
• Packing List
• Ruby
  • Fixing Fakeweb & Coveralls conflict
  • Generating a webpage screenshot
• SQLite Booleans
• Security
  • Password reset via HMAC
• Smarthome
• Web Design
  • Icon Libraries
  • SVG Icons
  • Various Ideas

After I recently rebuilt my
FreeIPA server, even after
restoring a backup, a few different identifiers for my users got
regenerated rather than restored. In particular, this results in
attempts to log in to services that rely on the UUIDs being consistent
to recognize the login as a new user rather than an existing user. In
part, this seems like a combination of FreeIPA,
Keycloak, and
Gitlab.

For my setup, Keycloak and Gitlab communicate using SAML, and the
configuration of the SAML details specifically state that the NameID
must be a persistent ID, not an email address. So if the UUID is
regenerated, the ID isn’t consistent, and so it’s a new user not the
same old one.

Because of this, now users will get an HTTP 422 error that
authentication failed because their email has been taken already:

Sign-in using foo auth failed

Sign-in failed because Email has already been taken.

…

If none of the options work, try contacting a GitLab administrator.

Retrieving the SAML ID

First up, we need to retrieve the UUID of the user being sent to Gitlab,
so that we may update Gitlab’s database to fix the UUID. An easy way is
to pull it from the Gitlab log:

docker exec -it gitlab-omnibus bash
grep -E 'SAML\) Error saving user' /var/log/gitlab/gitlab-rails/application.log

And grab the value between ‘user’ and the parenthesized email after it.
For my Keycloak setup, that value is a UUID that begins with a G-.

Updating Gitlab

Now that we have the user’s email address and the updated SAML ID, let’s
launch the Rails console to update their information:

docker exec -it gitlab-omnibus bash
gitlab-rails console

So now we can run the following Ruby code to update the SAML ID saved in
Gitlab’s database:

# Replace these with the appropriate values from the log messages above
email = "example@example.com"
saml_id = "G-00000000-0000-0000-0000-000000000000" 

user = User.find_by_any_email(email)
ident = u.identities.select { |i| i.provider == "saml" }.first
ident.extern_uid = saml_id
ident.save!

And that’s it! Now the user will be able to log in with the SAML
provider again.