From 7d26c4cde97ea155ecfe88e7e898248b40cfc2b5 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Fri, 6 May 2022 12:54:42 -0400
Subject: [PATCH] Use persistent SAML identifiers

Using "unspecified" will always send just the user's (FAS) username,
which has been known to conflict with existing accounts on Gitlab. The
"persistent" name-id format guarantees uniqueness.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
 roles/ipsilon/templates/saml2_data | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/ipsilon/templates/saml2_data b/roles/ipsilon/templates/saml2_data
index fa7ec3410f..809ef4af5b 100644
--- a/roles/ipsilon/templates/saml2_data
+++ b/roles/ipsilon/templates/saml2_data
@@ -78,4 +78,4 @@ gitlab id = https://gitlab.com/groups/fedora
 gitlab type = SP
 gitlab name = gitlab.com
 gitlab Allowed Attributes = ["email"]
-gitlab metadata = <?xml version='1.0' encoding='UTF-8'?><md:EntityDescriptor ID='_1b989820-b3a1-4fda-bed3-39c77422a44e' entityID='https://gitlab.com/groups/fedora' xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'><md:SPSSODescriptor AuthnRequestsSigned='false' WantAssertionsSigned='false' protocolSupportEnumeration='urn:oasis:names:tc:SAML:2.0:protocol'><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:AssertionConsumerService Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' Location='https://gitlab.com/groups/fedora/-/saml/callback' index='0' isDefault='true'/><md:AttributeConsumingService index='1' isDefault='true'><md:ServiceName xml:lang='en'>Required attributes</md:ServiceName><md:RequestedAttribute FriendlyName='Email address' Name='email' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic' isRequired='false'/><md:RequestedAttribute FriendlyName='Full name' Name='name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic' isRequired='false'/><md:RequestedAttribute FriendlyName='Given name' Name='first_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic' isRequired='false'/><md:RequestedAttribute FriendlyName='Family name' Name='last_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic' isRequired='false'/></md:AttributeConsumingService></md:SPSSODescriptor></md:EntityDescriptor>
+gitlab metadata = <?xml version='1.0' encoding='UTF-8'?><md:EntityDescriptor ID='_1b989820-b3a1-4fda-bed3-39c77422a44e' entityID='https://gitlab.com/groups/fedora' xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'><md:SPSSODescriptor AuthnRequestsSigned='false' WantAssertionsSigned='false' protocolSupportEnumeration='urn:oasis:names:tc:SAML:2.0:protocol'><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:AssertionConsumerService Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' Location='https://gitlab.com/groups/fedora/-/saml/callback' index='0' isDefault='true'/><md:AttributeConsumingService index='1' isDefault='true'><md:ServiceName xml:lang='en'>Required attributes</md:ServiceName><md:RequestedAttribute FriendlyName='Email address' Name='email' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic' isRequired='false'/><md:RequestedAttribute FriendlyName='Full name' Name='name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic' isRequired='false'/><md:RequestedAttribute FriendlyName='Given name' Name='first_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic' isRequired='false'/><md:RequestedAttribute FriendlyName='Family name' Name='last_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic' isRequired='false'/></md:AttributeConsumingService></md:SPSSODescriptor></md:EntityDescriptor>