This question asked by coderss but restarting the computer seems to noneffective.
422
The change you requested was rejected.
Make sure you have access to the thing you tried to change.
Please contact your GitLab administrator if you think this is a mistake.
I have above error in Firefox under Linux but I have access in Chromium.
That’s looks like typical cookie problem.
I tried clear all Gitlab related cookies then restarted computer without any new sign in attempt. and restarted computer 
yeah I just try
But still same error, same browser.
How can I handle this problem?
This error also occurs at forgot password section and in private tab of Firefox.
Is there another Gitlab related cookie?
asked Jan 21, 2021 at 4:21
1
This was followed by issue 35447 and issue 40898.
The last one included:
Ok, I suspect the issue here for many people is that the GitLab session cookie is set to Secure here: https://gitlab.com/gitlab-org/gitlab-ce/blob/9c491bc628f5a72424b82bb01e2457150bf2e71c/config/initializers/session_store.rb#L25
Setting the right SSL headers fixes the problem.
If, for some reason, the connection doesn’t appear to be an HTTPS connection, Rails won’t send a cookie, and the client won’t be able to login. You may be able to confirm this by checking the response headers in the
GET /users/sign_inendpoint: if you see a_gitlab_sessioncookie being sent the first time you load the page, then things are working properly.
And:
JuKu
JuKu @JuKu · 1 year ago
Solution for HaProxy:
Add these line to your frontend: reqadd X-Forwarded-Proto: http
After this change, it worked for me.
See also: https://www.digitalocean.com/community/tutorials/how-to-implement-ssl-termination-with-haproxy-on-ubuntu-14-04
That would avoid the dreaded:
But it depends on the type of GitLab used (gitlab.com or an on-premise GitLab, and the type of Web server used)
For example, issue 53085 refers to issue 54493:
The group had internal availability, while one of it’s projects was public (not the one I was having so much trouble with, which was private).
Making the group public solved the problem.
The OP maxemilian reports in the comments it is working now with Firefox on Manjaro:
I checked my updates diary, but only zoom matches between Firefox access time successfully.
I pretty sure this was related to GitLab login code. Suspicious dates (Jan 6- Jan 21 and Feb 3- Feb 6).
I think This update done by GitLab the dates between Feb 3- Feb 6.
answered Jan 21, 2021 at 8:14
VonCVonC
1.2m518 gold badges4344 silver badges5161 bronze badges
5
In my case, server time was late and I had to change the time, then restart the server and reconfigure the gitlab.
Change server time
sudo timedatectl set-time "06:24:00"
sudo timedatectl set-time "2020-04-23"
sudo hwclock --systohc
Reconfigure Gitlab.
sudo gitlab-ctl reconfigure
answered Apr 14, 2022 at 4:04
3
Empty Cache and Hard Reload on chrome will do the trick
answered May 30, 2022 at 17:41
0
For me it was the VPN. If you are connected to a VPN set to a different timezone, turn it off, clear the cookies and you should be able to connect.
answered Oct 6, 2022 at 7:51
In my case I was trying to fetch changes using a Git command and also got this error. It turned out that I was using the wrong URL. The .git suffix was missing. Curiously it worked the first time.
answered Jan 24 at 10:45
Torben KohlmeierTorben Kohlmeier
6,6831 gold badge15 silver badges15 bronze badges
In my case, the client date/time was set wrong.
Correcting the client computer time (activating ntp) did solve the issue.
answered May 8 at 13:11
Open
Issue created Dec 07, 2017 by
Fermulator@fermulator
Error 422 The change you requested was rejected on login
Summary
Similar to #35447 (closed), however I have a base local gitlab install, revertted back to super basic defaults in gitlab.rb configuration (only serving up HTTP). Uncertain when, (gone through a few gitlab-ce upgrades without actually logging into the web UI..), suddenly a POST to /users/sign_in results in 422 «The change you requested was rejected on login»
Steps to reproduce
TBD greenfield reproduction … but for my instance, simply trying to AUTH using web UI as a local admin account results in this error.
Example Project
TBD
What is the current bug behavior?
- gitlab-ctl status shows all services up
- user visits http://gitlab-URI:80
- server redirects to http://gitlab-URI/users/sign_in
- user enters LOCAL login credentials (in my case it’s a local admin user to gitlab)
- page goes: POST /users/sign_in HTTP/1.1 422
What is the expected correct behavior?
successful auth
(the error message hints that «I may not have access to the thing I tried to change» … but I’m auth’ing as a local admin user, also even tried the root account, and even some bogus FOO/BAR account! all the same result
is this some convoluted way of saying «invalid user/pass»? — I doubt my primary user password is wrong however… since it’s saved and I can confirm by manually typing too.
Relevant logs and/or screenshots
422
The change you requested was rejected.
Make sure you have access to the thing you tried to change.
Please contact your GitLab administrator if you think this is a mistake.services are all up
# sudo gitlab-ctl status
run: gitaly: (pid 12534) 260s; run: log: (pid 892) 300573s
run: gitlab-monitor: (pid 12548) 260s; run: log: (pid 906) 300573s
run: gitlab-workhorse: (pid 12517) 261s; run: log: (pid 893) 300573s
run: logrotate: (pid 12558) 259s; run: log: (pid 894) 300573s
run: nginx: (pid 12564) 259s; run: log: (pid 885) 300573s
run: node-exporter: (pid 12572) 258s; run: log: (pid 886) 300573s
run: postgres-exporter: (pid 12578) 258s; run: log: (pid 896) 300573s
run: postgresql: (pid 11895) 307s; run: log: (pid 916) 300573s
run: prometheus: (pid 12586) 257s; run: log: (pid 919) 300573s
run: redis: (pid 11897) 307s; run: log: (pid 891) 300573s
run: redis-exporter: (pid 12598) 257s; run: log: (pid 897) 300573s
run: sidekiq: (pid 12609) 257s; run: log: (pid 902) 300573s
run: unicorn: (pid 12616) 256s; run: log: (pid 900) 300573s/var/log/gitlab/nginx/gitlab_access.log shows:
1.0.0.6 - - [06/Dec/2017:22:03:20 -0500] "POST /users/sign_in HTTP/1.1" 422 2912 "http://gitlab-URI/users/sign_in" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0"nothing from gitlab_error.log, … also sanity checked other logs for possible AUTH failures or something else, but nothing of interest or more additional logs
/var/log/gitlab# for dir in $(ls -1 .); do echo $dir; ls -alt $dir/ | head -5; doneMy configuration for gitlab is super minimal
fermulator@fermmy-git:~$ sudo egrep -v "#" /etc/gitlab/gitlab.rb
external_url 'http://gitlab-URI:80'
git_data_dirs({
"default": {
"path": "/mnt/storage/git-data"
}
})Output of checks
n/a
Results of GitLab environment info
# gitlab-rake gitlab:env:info
System information
System: Ubuntu 14.04
Current User: git
Using RVM: no
Ruby Version: 2.3.5p376
Gem Version: 2.6.13
Bundler Version:1.13.7
Rake Version: 12.1.0
Redis Version: 3.2.5
Git Version: 2.13.6
Sidekiq Version:5.0.4
Go Version: unknown
GitLab information
Version: 10.2.3
Revision: 3141105
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: postgresql
URL: http://<GIT-URI>
HTTP Clone URL: http://<GIT-URI>/some-group/some-project.git
SSH Clone URL: git@<GIT-URI>:some-group/some-project.git
Using LDAP: no
Using Omniauth: no
GitLab Shell
Version: 5.9.4
Repository storage paths:
- default: /mnt/storage/git-data/repositories
Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks
Git: /opt/gitlab/embedded/bin/gitResults of GitLab application Check
# gitlab-rake gitlab:check SANITIZE=true
Checking GitLab Shell ...
GitLab Shell version >= 5.9.4 ? ... OK (5.9.4)
Repo base directory exists?
default... yes
Repo storage directories are symlinks?
default... no
Repo paths owned by git:root, or git:git?
default... yes
Repo paths access is drwxrws---?
default... yes
hooks directories in repos are links: ...
2/1 ... ok
2/2 ... ok
2/3 ... ok
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Redis available via internal API: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Sidekiq ...
Running? ... yes
Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Reply by email is disabled in config/gitlab.yml
Checking LDAP ...
LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab ...
Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... skipped (no tmp uploads folder yet)
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
2/1 ... yes
2/2 ... yes
2/3 ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.3.5 ? ... yes (2.3.5)
Git version >= 2.7.3 ? ... yes (2.13.6)
Git user has default SSH configuration? ... yes
Active users: ... 3
Checking GitLab ... FinishedPossible fixes
UNKNOWN
Edited Dec 07, 2017 by Fermulator
| type | stage | group | info |
|---|---|---|---|
|
reference |
Manage |
Authentication and Authorization |
To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments |
Troubleshooting SAML (FREE)
This page contains possible solutions for problems you might encounter when using:
- SAML SSO for GitLab.com groups.
- The self-managed instance-level SAML OmniAuth Provider.
SAML debugging tools
SAML responses are base64 encoded, so we recommend the following browser plugins to decode them on the fly:
- SAML-tracer for Firefox.
- SAML Message Decoder for Chrome.
Pay specific attention to:
- The
NameID, which we use to identify which user is signing in. If the user has previously signed in, this
must match the value we have stored. - The presence of a
X509Certificate, which we require to verify the response signature. - The
SubjectConfirmationandConditions, which can cause errors if misconfigured.
Generate a SAML response
Use SAML responses to preview the attribute names and values sent in the assertions list while attempting to sign in
using an identity provider.
To generate a SAML Response:
- Install one of the browser debugging tools.
- Open a new browser tab.
- Open the SAML tracer console:
- Chrome: On a context menu on the page, select Inspect, then select the SAML tab in the opened developer
console. - Firefox: Select the SAML-tracer icon located on the browser toolbar.
- Chrome: On a context menu on the page, select Inspect, then select the SAML tab in the opened developer
- Go to the GitLab single sign-on URL for the group in the same browser tab with the SAML tracer open.
- Select Authorize or attempt to sign in. A SAML response is displayed in the tracer console that resembles this
example SAML response. - Within the SAML tracer, select the Export icon to save the response in JSON format.
Testing GitLab SAML
You can use one of the following to troubleshoot SAML:
- A complete GitLab with SAML testing environment using Docker compose.
- A quick start guide to start a Docker container
with a plug and play SAML 2.0 identity provider if you only require a SAML provider. - A local environment by
enabling SAML for groups on a self-managed instance.
Verify configuration
For convenience, we’ve included some example resources used by our Support Team. While they may help you verify the SAML app configuration, they are not guaranteed to reflect the current state of third-party products.
Calculate the fingerprint
If you use a idp_cert_fingerprint, it must be a SHA1 fingerprint. To calculate a SHA1 fingerprint, download the certificate file and run:
openssl x509 -in <filename.crt> -noout -fingerprint -sha1
Replace filename.crt with the name of the certificate file.
Searching Rails log for a SAML response (FREE SELF)
You can find the base64-encoded SAML Response in the production_json.log.
This response is sent from the identity provider, and contains user information that is consumed by GitLab.
Many errors in the SAML integration can be solved by decoding this response and comparing it to the SAML settings in the GitLab configuration file.
For example, with SAML for groups,
you should be able to find the base64 encoded SAML response by searching with the following filters:
json.meta.caller_id:Groups::OmniauthCallbacksController#group_samljson.meta.userorjson.username:usernamejson.method:POSTjson.path:/groups/GROUP-PATH/-/saml/callback
In a relevant log entry, the json.params should provide a valid response with:
"key": "SAMLResponse"and the"value": (full SAML response),"key": "RelayState"with"value": "/group-path", and"key": "group_id"with"value": "group-path".
You should also check the decoded SAML response with the following filters
in case the customer has configured SAML Group Sync:
json.class:GroupSamlGroupSyncWorkerjson.args:<user ID> or <group ID>
In the relevant log entry, the:
json.argsare in the form<userID>, <group ID>, [group link ID 1, group link ID 2, ..., group link ID N].json.extra.group_saml_group_sync_worker.stats.*fields show how many times
this run of group syncadded,removedorchangedthe user’s membership.
In some cases, if the SAML response is lengthy, you may receive a "key": "truncated" with "value":"...".
In these cases, use one of the SAML debugging tools, or for SAML SSO for groups,
a group owner can get a copy of the SAML response from when they select
the «Verify SAML Configuration» button on the group SSO Settings page.
Use a base64 decoder to see a human-readable version of the SAML response. To avoid pasting the SAML response online to decode it, you can use your
browser’s console in the developers tools:
atob(decodeURI("<paste_SAML_response_here>"))
You should get the SAML response in XML format as output.
Configuration errors
Invalid audience
This error means that the identity provider doesn’t recognize GitLab as a valid sender and
receiver of SAML requests. Make sure to:
- Add the GitLab callback URL to the approved audiences of the identity provider server.
- Avoid trailing whitespace in the
issuerstring.
Key validation error, Digest mismatch or Fingerprint mismatch
These errors all come from a similar place, the SAML certificate. SAML requests
must be validated using either a fingerprint, a certificate, or a validator.
For this requirement, be sure to take the following into account:
- If you use a fingerprint, it must be the correct SHA1 fingerprint. To confirm that you are using
the correct SHA1 fingerprint:- Re-download the certificate file.
- Calculate the fingerprint.
- Compare the fingerprint to the value provided in
idp_cert_fingerprint. The values should be the same.
- If no certificate is provided in the settings, a fingerprint or fingerprint
validator needs to be provided and the response from the server must contain
a certificate (<ds:KeyInfo><ds:X509Data><ds:X509Certificate>). - If a certificate is provided in the settings, it is no longer necessary for
the request to contain one. In this case the fingerprint or fingerprint
validators are optional.
If none of the above described scenarios is valid, the request
fails with one of the mentioned errors.
Missing claims, or Email can't be blank errors
The identity provider server needs to pass certain information in order for GitLab to either
create an account, or match the login information to an existing account. email
is the minimum amount of information that needs to be passed. If the identity provider server
is not providing this information, all SAML requests fail.
Make sure this information is provided.
Another issue that can result in this error is when the correct information is being sent by
the identity provider, but the attributes don’t match the names in the OmniAuth info hash. In this case,
you must set attribute_statements in the SAML configuration to
map the attribute names in your SAML Response to the corresponding OmniAuth info hash names.
User sign in banner error messages
Message: «SAML authentication failed: Extern UID has already been taken»
This error suggests you are signed in as a GitLab user but have already linked your SAML identity to a different GitLab user. Sign out and then try to sign in again using SAML, which should log you into GitLab with the linked user account.
If you do not wish to use that GitLab user with the SAML login, you can unlink the GitLab account from the SAML app.
Message: «SAML authentication failed: User has already been taken»
The user that you’re signed in with already has SAML linked to a different identity, or the NameID value has changed.
Here are possible causes and solutions:
| Cause | Solution |
|---|---|
| You’ve tried to link multiple SAML identities to the same user, for a given identity provider. | Change the identity that you sign in with. To do so, unlink the previous SAML identity from this GitLab account before attempting to sign in again. |
The NameID changes every time the user requests SSO identification |
Check the NameID is not set with Transient format, or the NameID is not changing on subsequent requests. |
Message: «SAML authentication failed: Email has already been taken»
| Cause | Solution |
|---|---|
| When a user account with the email address already exists in GitLab, but the user does not have the SAML identity tied to their account. | The user needs to link their account. |
User accounts are created in one of the following ways:
- User registration
- Sign in through OAuth
- Sign in through SAML
- SCIM provisioning
Message: «SAML authentication failed: Extern UID has already been taken, User has already been taken»
Getting both of these errors at the same time suggests the NameID capitalization provided by the identity provider didn’t exactly match the previous value for that user.
This can be prevented by configuring the NameID to return a consistent value. Fixing this for an individual user involves changing the identifier for the user. For GitLab.com, the user needs to unlink their SAML from the GitLab account.
Message: «Request to link SAML account must be authorized»
Ensure that the user who is trying to link their GitLab account has been added as a user within the identity provider’s SAML app.
Alternatively, the SAML response may be missing the InResponseTo attribute in the
samlp:Response tag, which is expected by the SAML gem.
The identity provider administrator should ensure that the login is
initiated by the service provider and not only the identity provider.
Message: «There is already a GitLab account associated with this email address. Sign in with your existing credentials to connect your organization’s account» (PREMIUM SAAS)
A user can see this message when they are trying to manually link SAML to their existing GitLab.com account.
To resolve this problem, the user should check they are using the correct GitLab password to sign in. The user first needs
to reset their password if both:
- The account was provisioned by SCIM.
- They are signing in with username and password for the first time.
Other user sign in issues
Verify NameID
In troubleshooting, any authenticated user can use the API to verify the NameID GitLab already has linked to their user by visiting https://gitlab.com/api/v4/user and checking the extern_uid under identities.
For self-managed, administrators can use the users API to see the same information.
When using SAML for groups, group members of a role with the appropriate permissions can make use of the members API to view group SAML identity information for members of the group.
This can then be compared to the NameID being sent by the identity provider by decoding the message with a SAML debugging tool. We require that these match to identify users.
Stuck in a login «loop»
Ensure that the GitLab single sign-on URL (for GitLab.com) or the instance URL (for self-managed) has been configured as «Login URL» (or similarly named field) in the identity provider’s SAML app.
For GitLab.com, alternatively, when users need to link SAML to their existing GitLab.com account, provide the GitLab single sign-on URL and instruct users not to use the SAML app on first sign in.
Users receive a 404 (PREMIUM SAAS)
Because SAML SSO for groups is a paid feature, your subscription expiring can result in a 404 error when you’re signing in using SAML SSO on GitLab.com.
If all users are receiving a 404 when attempting to sign in using SAML, confirm
there is an active subscription being used in this SAML SSO namespace.
If you receive a 404 during setup when using «verify configuration», make sure you have used the correct
SHA-1 generated fingerprint.
If a user is trying to sign in for the first time and the GitLab single sign-on URL has not been configured, they may see a 404.
As outlined in the user access section, a group Owner needs to provide the URL to users.
If all users are receiving a 404 after signing in to the identity provider (IdP):
-
Verify the
assertion_consumer_service_url:- In the GitLab configuration by matching it to the HTTPS endpoint of GitLab.
- As the
Assertion Consumer Service URLor equivalent when setting up the SAML app on your IdP.
-
Verify if the
404is related to the user having too many groups assigned to them in their Azure IdP by checking:- If the user has group links configured.
- Audit events if the user gets added to the group and then immediately removed.
For configuration examples for some of the common providers, see the example group SAML and SCIM configurations.
500 error after login (FREE SELF)
If you see a «500 error» in GitLab when you are redirected back from the SAML
sign-in page, this could indicate that:
- GitLab couldn’t get the email address for the SAML user. Ensure the identity provider provides a claim containing the user’s
email address using the claim nameemailormail. - The certificate set your
gitlab.rbfile foridentity provider_cert_fingerprintoridentity provider_certfile is incorrect. - Your
gitlab.rbfile is set to enableidentity provider_cert_fingerprint, andidentity provider_certis being provided, or the reverse.
422 error after login (FREE SELF)
If you see a «422 error» in GitLab when you are redirected from the SAML
sign-in page, you might have an incorrectly configured Assertion Consumer
Service (ACS) URL on the identity provider.
Make sure the ACS URL points to https://gitlab.example.com/users/auth/saml/callback, where
gitlab.example.com is the URL of your GitLab instance.
If the ACS URL is correct, and you still have errors, review the other
Troubleshooting sections.
User is blocked when signing in through SAML (FREE SELF)
The following are the most likely reasons that a user is blocked when signing in through SAML:
- In the configuration,
gitlab_rails['omniauth_block_auto_created_users'] = trueis set and this is the user’s first time signing in. required_groupsare configured but the user is not a member of one.
Google workspace troubleshooting tips
The Google Workspace documentation on SAML app error messages is helpful for debugging if you are seeing an error from Google while signing in.
Pay particular attention to the following 403 errors:
app_not_configuredapp_not_configured_for_user
SAML Name ID and email address do not match your user account (PREMIUM SAAS)
If users encounter the error SAML Name ID and email address do not match your user account. Contact an administrator.
this means:
- The NameID value sent by SAML does not match the existing SAML identity
extern_uidvalue. - Either the SAML response did not include an email address or the email address did not match the user’s GitLab email address.
A GitLab group Owner can use the SAML API to update the user’s SAML extern_uid.
The extern_uid value must match the Name ID value sent by the SAML identity provider (IdP). Depending on the IdP configuration
this may be a generated unique ID, an email address, or other value.
Message: «The member’s email address is not linked to a SAML account» (PREMIUM SAAS)
This error appears when you try to invite a user to a GitLab.com group (or subgroup or project within a group) that has SAML SSO enforcement enabled.
If you see this message after trying to invite a user to a group:
- Ensure the user has been added to the SAML identity provider.
- Ask the user to link SAML to their existing GitLab.com account, if they have one. Otherwise, ask the user to create a GitLab.com account by accessing GitLab.com through the identity provider’s dashboard, or by signing up manually and linking SAML to their new account.
Firefox 68.0.1. I can’t sign in to Gitlab. I get an HTTP 422 error with the following message:
The change you requested was rejected.
Make sure you have access to the thing you tried to change.
Please contact your GitLab administrator if you think this is a mistake.
Cleaning all data in browser doesn’t help.
With Chromium I don’t have any problems and I can sign in as expected.
Run5k
15.7k24 gold badges49 silver badges63 bronze badges
asked Aug 10, 2019 at 22:36
Closed. Firefox fixed it self.
answered Aug 14, 2019 at 23:14
TeoyaomquiTeoyaomqui
511 silver badge8 bronze badges
1
There 2 choice:
- Allowe cookies (without 3rd party cookies) on Firefox
- Set or resetting system clock
These Work for me.
answered Feb 17, 2020 at 10:27
shgnIncshgnInc
4357 silver badges17 bronze badges
I got into trouble after installing Gitlab on CentOs7. For the first time I was redirected to the admin password creation page and after the password for the admin user, the server sent error.
422
The change you requested was rejected.
I had set the url value based on the site guide.
Set the external_url in /etc/gitlab/gitlab.rb:
external_url "https://example.com/gitlab"
I checked the links below for similar situations. I didn’t find the right answer. My server was in the local area and had no internet access.
Error 422 after installing gitlab on Ubuntu 18.04
After Update Error: «422 The change you requested was rejected.»
Error 422 after installing Gitlab on Ubuntu 16.04