SAML2 : Cannot link existing user to IDP account

[73VW]

Self-Hosted Version

23.5.1

CPU Architecture

x86_64

Docker Version

24.0.1

Docker Compose Version

2.18.1

Steps to Reproduce

1) Create a user account (not admin) with an email address 2) Configure SAML Login to a generic SAML2 IDP (DUO Security) 3) Click on the link in the email: 4) Click on the Login with SAML2 button 5) Login with IDP

Expected Result

I expect to be able to login with my old account and link it to the IDP identity.

In our company, we have mail alias in the following format:

• <first letter of firstname>.<lastname>@vnv.ch
• <firstname>.<lastname>@vnv.ch

Using my e-mail, that would be m.pedretti@vnv.ch and mael.pedretti@vnv.ch.

If my sentry account is created with mael.pedretti@vnv.ch and the email in the IDP is m.pedretti@vnv.ch, I won't be able to link it.

The admin setting everything up can link any account to any IDP identity but not the end user if he is disconnected.

Actual Result

A new account is created without ever asking to link account.

Event ID

No response

[73VW]

The button in the email for "linking account" only redirects to the company login page without allowing to login locally which prevents any user to link an IDP identity to a local account.

[hubertdeng123]

Am I understanding this correctly, this is more of a feature request to allow admins to link any account to any IDP identity? After clicking the button Link Account in your email, is a new account created for you to login with?

[73VW]

Hello @hubertdeng123,

I don't know exactly. The documentation states

From here, you can send reminders to any existing members who existed prior to the integration, and they will receive an email prompt to link their accounts.

but that's not the real behaviour. The link in the mail only brings the user to a login page without any possibility of linking their account.

We've made the test with one of my colleague on a clone of our self hosted instance. He had a Sentry account with the email on the format <firstname>.<lastname>@vnv.ch. He got the link, clicked on it and a new account with the email <first letter of firstname>.<lastname>@vnv.ch has been created for him (because in the IDP he has <first letter of firstname>.<lastname>@vnv.ch). He has never been asked to link the identity from the IDP to his account <firstname>.<lastname>@vnv.ch. He ended up with two accounts: An old one with all his data, in which he cannot login and a new one completely empty.

After doing this, the number of unlinked members here:

remains the same!

In my opinion, an old user should be able to link his old account with his identity in the IDP.

[github-actions[bot]]

This issue has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you label it Status: Backlog or Status: In Progress, I will leave it alone ... forever!

---

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

[73VW]

Reset the clock!

[getsantry[bot]]

This issue has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you remove the label Waiting for: Community, I will leave it alone ... forever!

---

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

[73VW]

Reset the clock!

[hubertdeng123]

Let me transfer this over to Sentry to see if they have more to say there, since this doesn't appear to be just a self-hosted issue.

[getsantry[bot]]

Assigning to @getsentry/support for routing ⏲️

[getsantry[bot]]

Routing to @getsentry/product-owners-settings-auth for triage ⏲️

[leedongwei]

Hi. Thanks for the feedback. If your emails is an identical match, we would bring you into the account linking flow.

We'll address this issue when we make changes to the SAML flow.

In the meantime, you can add f.lastname@company.com as a secondary email to your Sentry account and it should start the linking flow.

[73VW]

Hello,

Thank you for your answer. We will do it this way then.