Lunch and Learn Auth and SAML
LDAP : form-based | we can ask questions SAML: browser/client based | we only get info when the user goes through the authentication process
If you get to OmniauthCallbacksController
the user has successfully authenticated. Maybe they can't use GitLab yet (they'll either get connected to ane xisting account, a new account will be created or their access will be denied)
We favor looking up username via LDAP (we can learn more) vs SAML (just the attributes). We generate that info from LDAP or straight from the auth hash.
The info is sent to the user create service.
o_auth/user.rb
The Auth Hash¶
The structure is a bit opaque.
One of the most common failures seen is SAML not sending an email
attribute. This is a good place to check. We might now have some better error messaging around that.