Merge branch 'jej/avoid-csrf-check-on-saml-failure' into 'master'

Skip CSRF check on SAML failure endpoint

Closes #56574

See merge request gitlab-org/gitlab-ce!24509

app/controllers/omniauth_callbacks_controller.rb

@@ -4,7 +4,7 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
   include AuthenticatesWithTwoFactor
   include Devise::Controllers::Rememberable
 
-  protect_from_forgery except: [:kerberos, :saml, :cas3], prepend: true
+  protect_from_forgery except: [:kerberos, :saml, :cas3, :failure], with: :exception, prepend: true
 
   def handle_omniauth
     omniauth_flow(Gitlab::Auth::OAuth)

changelogs/unreleased/jej-avoid-csrf-check-on-saml-failure.yml

+---
+title: Display SAML failure messages instead of expecting CSRF token
+merge_request: 24509
+author:
+type: fixed

spec/controllers/omniauth_callbacks_controller_spec.rb

@@ -45,6 +45,29 @@ describe OmniauthCallbacksController, type: :controller do
       end
     end
 
+    context 'when sign in fails' do
+      include RoutesHelpers
+
+      let(:extern_uid) { 'my-uid' }
+      let(:provider) { :saml }
+
+      def stub_route_as(path)
+        allow(@routes).to receive(:generate_extras) { [path, []] }
+      end
+
+      it 'it calls through to the failure handler' do
+        request.env['omniauth.error'] = OneLogin::RubySaml::ValidationError.new("Fingerprint mismatch")
+        request.env['omniauth.error.strategy'] = OmniAuth::Strategies::SAML.new(nil)
+        stub_route_as('/users/auth/saml/callback')
+
+        ForgeryProtection.with_forgery_protection do
+          post :failure
+        end
+
+        expect(flash[:alert]).to match(/Fingerprint mismatch/)
+      end
+    end
+
     context 'when a redirect fragment is provided' do
       let(:provider) { :jwt }
       let(:extern_uid) { 'my-uid' }