1 files changed, 249 insertions, 0 deletions

diff --git a/doc/user/group/saml_sso/troubleshooting.md b/doc/user/group/saml_sso/troubleshooting.md
new file mode 100644
index 00000000000..177f33228c0
--- /dev/null
+++ b/doc/user/group/saml_sso/troubleshooting.md
@@ -0,0 +1,249 @@
+---
+type: reference
+stage: Manage
+group: Authentication and Authorization
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# Troubleshooting SAML **(FREE)**
+
+This page contains possible solutions for problems you might encounter when using:
+
+- [SAML SSO for GitLab.com groups](index.md).
+- The self-managed instance-level [SAML OmniAuth Provider](../../../integration/saml.md).
+
+## SAML debugging tools
+
+SAML responses are base64 encoded, so we recommend the following browser plugins to decode them on the fly:
+
+- [SAML-tracer](https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/) for Firefox.
+- [SAML Message Decoder](https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm?hl=en) for Chrome.
+
+Specific attention should be paid to:
+
+- The NameID, which we use to identify which user is signing in. If the user has previously signed in, this [must match the value we have stored](#verifying-nameid).
+- The presence of a `X509Certificate`, which we require to verify the response signature.
+- The `SubjectConfirmation` and `Conditions`, which can cause errors if misconfigured.
+
+### Generate a SAML response
+
+Use SAML responses to preview the attribute names and values sent in the assertions list while attempting to sign in
+using an identity provider.
+
+To generate a SAML Response:
+
+1. Install one of the browser debugging tools previously mentioned.
+1. Open a new browser tab.
+1. Open the SAML tracer console:
+   - Chrome: On a context menu on the page, select **Inspect**, then select the **SAML** tab in the opened developer
+     console.
+   - Firefox: Select the SAML-tracer icon located on the browser toolbar.
+1. Go to the GitLab single sign-on URL for the group in the same browser tab with the SAML tracer open.
+1. Select **Authorize** or attempt to log in. A SAML response is displayed in the tracer console that resembles this
+   [example SAML response](index.md#example-saml-response).
+1. Within the SAML tracer, select the **Export** icon to save the response in JSON format.
+
+## GitLab SAML Testing Environments
+
+To troubleshoot, [a complete GitLab with SAML testing environment using Docker compose](https://gitlab.com/gitlab-com/support/toolbox/replication/tree/master/compose_files)
+is available.
+
+If you only require a SAML provider for testing, a [quick start guide to start a Docker container](../../../administration/troubleshooting/test_environments.md#saml) with a plug and play SAML 2.0 Identity Provider (identity provider) is available.
+
+You can test the SaaS feature locally by [enabling SAML for groups on a self-managed instance](../../../integration/saml.md#configuring-group-saml-on-a-self-managed-gitlab-instance).
+
+## Verifying configuration
+
+For convenience, we've included some [example resources](../../../user/group/saml_sso/example_saml_config.md) used by our Support Team. While they may help you verify the SAML app configuration, they are not guaranteed to reflect the current state of third-party products.
+
+## Searching Rails log for a SAML response **(FREE SELF)**
+
+You can find the base64-encoded SAML Response in the [`production_json.log`](../../../administration/logs/index.md#production_jsonlog).
+This response is sent from the identity provider, and contains user information that is consumed by GitLab.
+Many errors in the SAML integration can be solved by decoding this response and comparing it to the SAML settings in the GitLab configuration file.
+
+For example, with SAML for groups,
+you should be able to find the base64 encoded SAML response by searching with the following filters:
+
+- `json.meta.caller_id`: `Groups::OmniauthCallbacksController#group_saml`
+- `json.meta.user` or `json.username`: `username`
+- `json.method`: `POST`
+- `json.path`: `/groups/GROUP-PATH/-/saml/callback`
+
+In a relevant log entry, the `json.params` should provide a valid response with:
+
+- `"key": "SAMLResponse"` and the `"value": (full SAML response)`,
+- `"key": "RelayState"` with `"value": "/group-path"`, and
+- `"key": "group_id"` with `"value": "group-path"`.
+
+In some cases, if the SAML response is lengthy, you may receive a `"key": "truncated"` with `"value":"..."`.
+In these cases, use one of the [SAML debugging tools](#saml-debugging-tools), or for SAML SSO for groups,
+a group owner can get a copy of the SAML response from when they select
+the "Verify SAML Configuration" button on the group SSO Settings page.
+
+Use a base64 decoder to see a human-readable version of the SAML response.
+
+## Configuration errors
+
+### Invalid audience
+
+This error means that the identity provider doesn't recognize GitLab as a valid sender and
+receiver of SAML requests. Make sure to:
+
+- Add the GitLab callback URL to the approved audiences of the identity provider server.
+- Avoid trailing whitespace in the `issuer` string.
+
+### Key validation error, Digest mismatch or Fingerprint mismatch
+
+These errors all come from a similar place, the SAML certificate. SAML requests
+must be validated using either a fingerprint, a certificate, or a validator.
+
+For this requirement, be sure to take the following into account:
+
+- If a fingerprint is used, it must be the SHA1 fingerprint
+- If no certificate is provided in the settings, a fingerprint or fingerprint
+  validator needs to be provided and the response from the server must contain
+  a certificate (`<ds:KeyInfo><ds:X509Data><ds:X509Certificate>`)
+- If a certificate is provided in the settings, it is no longer necessary for
+  the request to contain one. In this case the fingerprint or fingerprint
+  validators are optional
+
+If none of the above described scenarios is valid, the request
+fails with one of the mentioned errors.
+
+### Missing claims, or `Email can't be blank` errors
+
+The identity provider server needs to pass certain information in order for GitLab to either
+create an account, or match the login information to an existing account. `email`
+is the minimum amount of information that needs to be passed. If the identity provider server
+is not providing this information, all SAML requests fail.
+
+Make sure this information is provided.
+
+Another issue that can result in this error is when the correct information is being sent by
+the identity provider, but the attributes don't match the names in the OmniAuth `info` hash. In this case,
+you must set `attribute_statements` in the SAML configuration to
+[map the attribute names in your SAML Response to the corresponding OmniAuth `info` hash names](../../../integration/saml.md#attribute_statements).
+
+## User sign in banner error messages
+
+### Message: "SAML authentication failed: Extern UID has already been taken"
+
+This error suggests you are signed in as a GitLab user but have already linked your SAML identity to a different GitLab user. Sign out and then try to sign in again using SAML, which should log you into GitLab with the linked user account.
+
+If you do not wish to use that GitLab user with the SAML login, you can [unlink the GitLab account from the SAML app](index.md#unlinking-accounts).
+
+### Message: "SAML authentication failed: User has already been taken"
+
+The user that you're signed in with already has SAML linked to a different identity, or the NameID value has changed.
+Here are possible causes and solutions:
+
+| Cause                                                                                          | Solution                                                                                                                                                                   |
+| ---------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| You've tried to link multiple SAML identities to the same user, for a given identity provider. | Change the identity that you sign in with. To do so, [unlink the previous SAML identity](index.md#unlinking-accounts) from this GitLab account before attempting to sign in again. |
+| The NameID changes every time the user requests SSO identification | [Check the NameID](#verifying-nameid) is not set with `Transient` format, or the NameID is not changing on subsequent requests.|
+
+### Message: "SAML authentication failed: Email has already been taken"
+
+| Cause                                                                                                                                    | Solution                                                                 |
+| ---------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ |
+| When a user account with the email address already exists in GitLab, but the user does not have the SAML identity tied to their account. | The user needs to [link their account](index.md#user-access-and-management). |
+
+User accounts are created in one of the following ways:
+
+- User registration
+- Sign in through OAuth
+- Sign in through SAML
+- SCIM provisioning
+
+### Message: "SAML authentication failed: Extern UID has already been taken, User has already been taken"
+
+Getting both of these errors at the same time suggests the NameID capitalization provided by the identity provider didn't exactly match the previous value for that user.
+
+This can be prevented by configuring the NameID to return a consistent value. Fixing this for an individual user involves changing the identifier for the user. For GitLab.com, the user needs to [unlink their SAML from the GitLab account](index.md#unlinking-accounts).
+
+### Message: "Request to link SAML account must be authorized"
+
+Ensure that the user who is trying to link their GitLab account has been added as a user within the identity provider's SAML app.
+
+Alternatively, the SAML response may be missing the `InResponseTo` attribute in the
+`samlp:Response` tag, which is [expected by the SAML gem](https://github.com/onelogin/ruby-saml/blob/9f710c5028b069bfab4b9e2b66891e0549765af5/lib/onelogin/ruby-saml/response.rb#L307-L316).
+The identity provider administrator should ensure that the login is
+initiated by the service provider and not only the identity provider.
+
+### Message: "Sign in to GitLab to connect your organization's account" **(PREMIUM SAAS)**
+
+A user can see this message when they are trying to [manually link SAML to their existing GitLab.com account](index.md#linking-saml-to-your-existing-gitlabcom-account).
+
+To resolve this problem, the user should check they are using the correct GitLab password to log in. The user first needs
+to [reset their password](https://gitlab.com/users/password/new) if both:
+
+- The account was provisioned by SCIM.
+- They are signing in with username and password for the first time.
+
+## Other user sign in issues
+
+### Verifying NameID
+
+In troubleshooting, any authenticated user can use the API to verify the NameID GitLab already has linked to the user by visiting [`https://gitlab.com/api/v4/user`](https://gitlab.com/api/v4/user) and checking the `extern_uid` under identities.
+
+For self-managed, administrators can use the [users API](../../../api/users.md) to see the same information.
+
+When using SAML for groups, group members of a role with the appropriate permissions can make use of the [members API](../../../api/members.md) to view group SAML identity information for members of the group.
+
+This can then be compared to the NameID being sent by the identity provider by decoding the message with a [SAML debugging tool](#saml-debugging-tools). We require that these match in order to identify users.
+
+### Stuck in a login "loop"
+
+Ensure that the **GitLab single sign-on URL** (for GitLab.com) or the instance URL (for self-managed) has been configured as "Login URL" (or similarly named field) in the identity provider's SAML app.
+
+For GitLab.com, alternatively, when users need to [link SAML to their existing GitLab.com account](index.md#linking-saml-to-your-existing-gitlabcom-account), provide the **GitLab single sign-on URL** and instruct users not to use the SAML app on first sign in.
+
+### Users receive a 404 **(PREMIUM SAAS)**
+
+Because SAML SSO for groups is a paid feature, your subscription expiring can result in a `404` error when you're signing in using SAML SSO on GitLab.com.
+If all users are receiving a `404` when attempting to log in using SAML, confirm
+[there is an active subscription](../../../subscriptions/gitlab_com/index.md#view-your-gitlab-saas-subscription) being used in this SAML SSO namespace.
+
+If you receive a `404` during setup when using "verify configuration", make sure you have used the correct
+[SHA-1 generated fingerprint](../../../integration/saml.md#notes-on-configuring-your-identity-provider).
+
+If a user is trying to sign in for the first time and the GitLab single sign-on URL has not [been configured](index.md#configure-your-identity-provider), they may see a 404.
+As outlined in the [user access section](index.md#linking-saml-to-your-existing-gitlabcom-account), a group Owner needs to provide the URL to users.
+
+### 500 error after login **(FREE SELF)**
+
+If you see a "500 error" in GitLab when you are redirected back from the SAML
+sign-in page, this could indicate that:
+
+- GitLab couldn't get the email address for the SAML user. Ensure the identity provider provides a claim containing the user's
+  email address using the claim name `email` or `mail`.
+- The certificate set your `gitlab.rb` file for `identity provider_cert_fingerprint` or `identity provider_cert` file is incorrect.
+- Your `gitlab.rb` file is set to enable `identity provider_cert_fingerprint`, and `identity provider_cert` is being provided, or the reverse.
+
+### 422 error after login **(FREE SELF)**
+
+If you see a "422 error" in GitLab when you are redirected from the SAML
+sign-in page, you might have an incorrectly configured Assertion Consumer
+Service (ACS) URL on the identity provider.
+
+Make sure the ACS URL points to `https://gitlab.example.com/users/auth/saml/callback`, where
+`gitlab.example.com` is the URL of your GitLab instance.
+
+If the ACS URL is correct, and you still have errors, review the other
+Troubleshooting sections.
+
+### User is blocked when signing in through SAML **(FREE SELF)**
+
+The following are the most likely reasons that a user is blocked when signing in through SAML:
+
+- In the configuration, `gitlab_rails['omniauth_block_auto_created_users'] = true` is set and this is the user's first time signing in.
+- [`required_groups`](../../../integration/saml.md#required-groups) are configured but the user is not a member of one.
+
+## Google workspace troubleshooting tips
+
+The Google Workspace documentation on [SAML app error messages](https://support.google.com/a/answer/6301076?hl=en) is helpful for debugging if you are seeing an error from Google while signing in.
+Pay particular attention to the following 403 errors:
+
+- `app_not_configured`
+- `app_not_configured_for_user`