Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/doc/user/group/saml_sso/troubleshooting.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/user/group/saml_sso/troubleshooting.md')
-rw-r--r--doc/user/group/saml_sso/troubleshooting.md23
1 files changed, 18 insertions, 5 deletions
diff --git a/doc/user/group/saml_sso/troubleshooting.md b/doc/user/group/saml_sso/troubleshooting.md
index 177f33228c0..bde5ed1762a 100644
--- a/doc/user/group/saml_sso/troubleshooting.md
+++ b/doc/user/group/saml_sso/troubleshooting.md
@@ -2,7 +2,7 @@
type: reference
stage: Manage
group: Authentication and Authorization
-info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
---
# Troubleshooting SAML **(FREE)**
@@ -39,7 +39,7 @@ To generate a SAML Response:
console.
- Firefox: Select the SAML-tracer icon located on the browser toolbar.
1. Go to the GitLab single sign-on URL for the group in the same browser tab with the SAML tracer open.
-1. Select **Authorize** or attempt to log in. A SAML response is displayed in the tracer console that resembles this
+1. Select **Authorize** or attempt to sign in. A SAML response is displayed in the tracer console that resembles this
[example SAML response](index.md#example-saml-response).
1. Within the SAML tracer, select the **Export** icon to save the response in JSON format.
@@ -76,6 +76,19 @@ In a relevant log entry, the `json.params` should provide a valid response with:
- `"key": "RelayState"` with `"value": "/group-path"`, and
- `"key": "group_id"` with `"value": "group-path"`.
+You should also check the decoded SAML response with the following filters
+in case the customer has [configured SAML Group Sync](group_sync.md):
+
+- `json.class`: `GroupSamlGroupSyncWorker`
+- `json.args`: `<user ID> or <group ID>`
+
+In the relevant log entry, the:
+
+- `json.args` are in the form `<userID>, <group ID>,
+ [group link ID 1, group link ID 2, ..., group link ID N]`.
+- `json.extra.group_saml_group_sync_worker.stats.*` fields show how many times
+ this run of group sync `added`, `removed` or `changed` the user's membership.
+
In some cases, if the SAML response is lengthy, you may receive a `"key": "truncated"` with `"value":"..."`.
In these cases, use one of the [SAML debugging tools](#saml-debugging-tools), or for SAML SSO for groups,
a group owner can get a copy of the SAML response from when they select
@@ -175,7 +188,7 @@ initiated by the service provider and not only the identity provider.
A user can see this message when they are trying to [manually link SAML to their existing GitLab.com account](index.md#linking-saml-to-your-existing-gitlabcom-account).
-To resolve this problem, the user should check they are using the correct GitLab password to log in. The user first needs
+To resolve this problem, the user should check they are using the correct GitLab password to sign in. The user first needs
to [reset their password](https://gitlab.com/users/password/new) if both:
- The account was provisioned by SCIM.
@@ -191,7 +204,7 @@ For self-managed, administrators can use the [users API](../../../api/users.md)
When using SAML for groups, group members of a role with the appropriate permissions can make use of the [members API](../../../api/members.md) to view group SAML identity information for members of the group.
-This can then be compared to the NameID being sent by the identity provider by decoding the message with a [SAML debugging tool](#saml-debugging-tools). We require that these match in order to identify users.
+This can then be compared to the NameID being sent by the identity provider by decoding the message with a [SAML debugging tool](#saml-debugging-tools). We require that these match to identify users.
### Stuck in a login "loop"
@@ -202,7 +215,7 @@ For GitLab.com, alternatively, when users need to [link SAML to their existing G
### Users receive a 404 **(PREMIUM SAAS)**
Because SAML SSO for groups is a paid feature, your subscription expiring can result in a `404` error when you're signing in using SAML SSO on GitLab.com.
-If all users are receiving a `404` when attempting to log in using SAML, confirm
+If all users are receiving a `404` when attempting to sign in using SAML, confirm
[there is an active subscription](../../../subscriptions/gitlab_com/index.md#view-your-gitlab-saas-subscription) being used in this SAML SSO namespace.
If you receive a `404` during setup when using "verify configuration", make sure you have used the correct
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-01 05:30:17 +0300