getsentry / sentry

Developer-first error tracking and performance monitoring
https://sentry.io
Other
39.34k stars 4.22k forks source link

[9.1.0] SAML SSO with ADFS: Signature validation failed - Signing Certificate rotation #17730

Open stumbaumr opened 4 years ago

stumbaumr commented 4 years ago

Important Details

How are you running Sentry?

Description

I connected our onpremise sentry with our Active Directory using Active Directory Federation Services (ADFS) which provides also SAML2. Every year the ADFS creates a new signing certificate and for some time sends both certificates in the response. Some applications see the new certificate and import the fingerprint or public key into their config automatically, some not.

Sentry seems to be on the not side... so now authentication does not work, since the old certificate became invalid and the new one has not been accepted.

Steps to Reproduce

  1. Configure SSO auth with AD using SAML and ADFS
  2. Wait until the old Signing certificate expires (usually one year)...
  3. See the following error message "Authentication error: SAML SSO failed, Signature validation failed. SAML Response rejected" after trying to log on.

Good items to include here include:

What you expected to happen

The roll over of the signing certificate should be automatic.

Possible Solution

As soon as the SAML reponse includes more than one certificate import the newer one into the SAML settings. So basically this in an automated fashion: https://aws.amazon.com/de/blogs/security/how-to-set-up-uninterrupted-federated-user-access-to-aws-using-ad-fs/

maxp1256 commented 4 years ago

We've the same problem with sentry 10 onpremise. A workaround is to remove the secondary token-signing and encryption certificate:

Get-AdfsCertificate -CertificateType token-signing --note thumbprint from old cert Get-AdfsCertificate -CertificateType token-decrypting --note thumbprint from old cert

Set-ADFSProperties -AutocertificateRollover $false Remove-AdfsCertificate -CertificateType token-decrypting -Thumbprint Remove-AdfsCertificate -CertificateType token-signing -Thumbprint Set-ADFSProperties -AutocertificateRollover $true

github-actions[bot] commented 3 years ago

This issue has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you label it Status: Accepted, I will leave it alone ... forever!


"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

BYK commented 3 years ago

ping @getsentry/enterprise for triage

leedongwei commented 3 years ago

@stumbaumr Thanks for the detailed report!

BYK commented 3 years ago

@leedongwei I think this is fixed with the recent work on SSO and SAML?