1 files changed, 36 insertions, 18 deletions

diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb
index 9cf76521a0d..21135f7d607 100644
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -42,6 +42,26 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
     end
   end
 
+  def saml
+    if current_user
+      log_audit_event(current_user, with: :saml)
+      # Update SAML identity if data has changed.
+      identity = current_user.identities.find_by(extern_uid: oauth['uid'], provider: :saml)
+      if identity.nil?
+        current_user.identities.create(extern_uid: oauth['uid'], provider: :saml)
+        redirect_to profile_account_path, notice: 'Authentication method updated'
+      else
+        redirect_to after_sign_in_path_for(current_user)
+      end
+    else
+      saml_user = Gitlab::Saml::User.new(oauth)
+      saml_user.save
+      @user = saml_user.gl_user
+
+      continue_login_process
+    end
+  end
+
   def omniauth_error
     @provider = params[:provider]
     @error = params[:error]
@@ -65,25 +85,11 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
       log_audit_event(current_user, with: oauth['provider'])
       redirect_to profile_account_path, notice: 'Authentication method updated'
     else
-      @user = Gitlab::OAuth::User.new(oauth)
-      @user.save
+      oauth_user = Gitlab::OAuth::User.new(oauth)
+      oauth_user.save
+      @user = oauth_user.gl_user
 
-      # Only allow properly saved users to login.
-      if @user.persisted? && @user.valid?
-        log_audit_event(@user.gl_user, with: oauth['provider'])
-        sign_in_and_redirect(@user.gl_user)
-      else
-        error_message =
-          if @user.gl_user.errors.any?
-            @user.gl_user.errors.map do |attribute, message|
-              "#{attribute} #{message}"
-            end.join(", ")
-          else
-            ''
-          end
-
-        redirect_to omniauth_error_path(oauth['provider'], error: error_message) and return
-      end
+      continue_login_process
     end
   rescue Gitlab::OAuth::SignupDisabledError
     label = Gitlab::OAuth::Provider.label_for(oauth['provider'])
@@ -104,6 +110,18 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
     session[:service_tickets][provider] = ticket
   end
 
+  def continue_login_process
+    # Only allow properly saved users to login.
+    if @user.persisted? && @user.valid?
+      log_audit_event(@user, with: oauth['provider'])
+      sign_in_and_redirect(@user)
+    else
+      error_message = @user.errors.full_messages.to_sentence
+
+      redirect_to omniauth_error_path(oauth['provider'], error: error_message) and return
+    end
+  end
+
   def oauth
     @oauth ||= request.env['omniauth.auth']
   end