search

getsentry / self-hosted

Sentry, feature-complete and packaged up for low-volume deployments and proofs-of-concept
https://develop.sentry.dev/self-hosted/
Other
7.9k stars 1.78k forks source link

Sentry SSO via SAML Keycloak does not work #2743

Closed shaxiaozz closed 9 months ago

shaxiaozz commented 9 months ago

Self-Hosted Version

23.10.1

CPU Architecture

x86_64

Docker Version

20.10.25

Docker Compose Version

2.23.0

Steps to Reproduce

  1. Install and start Sentry Clone self-hosted sentry: git clone https://github.com/getsentry/self-hosted.git Switch branch: git checkout 23.10.1 Starting install script: ./install.sh Stop container and add system.url-prefix: 'http://localhost:9000' to config.yml Start sentry: docker-compose up -d

  2. Start Keycloak My Keycloak image: quay.io/keycloak/keycloak:23.0.4 Keycloak starts with Docker

    docker run -d --name keycloak \
    -e KEYCLOAK_ADMIN=admin \
    -e KEYCLOAK_ADMIN_PASSWORD=password \
    -e PROXY_ADDRESS_FORWARDING=true \
    -e KC_HOSTNAME_STRICT_BACKCHANNEL=false \
    -e KC_HOSTNAME_ADMIN_URL=https://auth0.example.com/ \
    -e KC_HOSTNAME_URL=https://auth0.example.com/ \
    -e KEYCLOAK_FRONTEND_URL=https://auth0.example.com/ \
    --link mysql:mysql \
    quay.io/keycloak/keycloak:23.0.4 start-dev \
    --db=mysql --features=token-exchange \
    --db-url=jdbc:mysql://mysql:3306/keycloak --db-username=root --db-password=password

  3. Setup Keycloak Setting up a new client within Keycloak under the master realm Settings:

  4. Setup SAML2 within Sentry Use Metadata URL method: image

Enter in the required field: user_email image

After clicking Save Configuration, perform Keycloak SSO user verification. After successful verification, jump back to Sentry, and the following error message appears.

Eoor Msg: Authentication error: Single sign-on SAML SSO failed, There is no AttributeStatement on the Response image

Expected Result

I expected that after successfully authenticating the Keycloak SSO user, it would jump to Sentry normally.Now I can't proceed with the next step of configuration~!

I Googled this error "There is no AttributeStatement on the Response" and found that Sentry expected to receive specific attributes (AttributeStatement) from the SAML response sent by Keycloak, but did not actually receive these attributes.

But I don’t know how to configure this. I also checked the sentry documentation library and found no corresponding error message.

And I also suspect that the keycloak is not carrying the firstName, lastName over, while I refer to issues: https://github.com/getsentry/self-hosted/issues/1571, configured the keycloak saml client mappers image

image

image

image

image

Actual Result

I observed that keycloak has no error or warning logs.

As for the sentry saml2 auth authentication log, I don't know which container is responsible for processing and recording the log, because I haven't checked it. If possible, can you tell me how to check the saml2 auth authentication log? I will add the log as soon as possible

Event ID

No response

shaxiaozz commented 9 months ago

I think I know the problem, I modified the keycloak SAML configuration and changed the Name ID Format from email to the default value (username) image

Therefore, the effective Keycloak configuration steps should be like this: (Hope it can help others in the future)

Mapping Settings: