From 067da6224ef2cc53ae4ac38e3f3d1c99d1a97f96 Mon Sep 17 00:00:00 2001
From: Brian Neel <brian@gitlab.com>
Date: Thu, 10 Nov 2016 20:14:54 -0500
Subject: fix shibboleth misconfigurations resulting in authentication bypass

---
 changelogs/unreleased/fix-shibboleth-auth-with-no-uid.yml | 4 ++++
 config/initializers/devise.rb                             | 4 ++++
 2 files changed, 8 insertions(+)
 create mode 100644 changelogs/unreleased/fix-shibboleth-auth-with-no-uid.yml

diff --git a/changelogs/unreleased/fix-shibboleth-auth-with-no-uid.yml b/changelogs/unreleased/fix-shibboleth-auth-with-no-uid.yml
new file mode 100644
index 00000000000..56fa2170be3
--- /dev/null
+++ b/changelogs/unreleased/fix-shibboleth-auth-with-no-uid.yml
@@ -0,0 +1,4 @@
+---
+title: fix shibboleth misconfigurations resulting in authentication bypass
+merge_request: 7428
+author: 
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index a0a8f88584c..a5b415457db 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -254,6 +254,10 @@ Devise.setup do |config|
         end
       end
 
+      if provider['name'] == 'shibboleth'
+        provider['args'][:fail_with_empty_uid] = true
+      end
+
       # A Hash from the configuration will be passed as is.
       provider_arguments << provider['args'].symbolize_keys
     end
-- 
cgit v1.2.3