SAML SSO: support IDP initiated SAML without a first successful SP initiated SAML workflow

[dixneuf19]

Problem Statement

Hi, We recently signed a contract with Sentry to migrate our hard to maintain self-hosted Sentry to SaaS.

One of the key requirement before on-boarding any developers into the new platform is having a proper SSO in place. Our company (in the financial domain) uses IBM Security Access Manager (ISAM) as IDP provider. It does support SAML 2.0 protocol for authentication, but has also some security restrictions in place.

One of this restriction is forcing WantAuthnRequestsSigned parameter to true, which forces to sign the initial SAML request from the SP (sentry) to the IDP (ISAM). Most of SAML service provider just don't support this option : we have this issue with AWS, Datadog, Productboard and I found that Okta does not support it neither. I also found in Sentry code that is not activated on the generic SAML provider.

The main workaround we had with other SP is using "SAML IDP initiated mode", which means we don't click on "connect with SSO" in the SP website (here Sentry), but we use a special link from the IDP (here ISAM) which authenticate us and then redirect us to the SP (Sentry). While the UX is not great, this is the current workaround solution for a lot of our tools.

IDP initiated mode is supported by Sentry. However, I did not find how to setup it without making SP initiated mode working first. Indeed,

• if use the IDP initiated link, when I am redirected to Sentry, I have an error that SSO SAML is currently not activated
• If I try to activate SSO SAML, I can enter all information, it will try to contact the IDP and then receive an error since it does not sign authn request. The SAML configuration is then rollback (to avoid any lock out ?), so IDP initiated mode won't work

There is to my knowledge no way to activate SAML SSO without first having a succesful SP initiated SAML workflow, which will never happen in our case with the WantAuthnRequestsSigned=true option in place.

We therefore are currently stuck with a new but unusable (SSO is a hard requirement for the company) Sentry SaaS subscription.

Solution Brainstorm

There are several solution, which varying degrees of difficulties:

• forcing, with the Help of support, the activation of SSO SAML in Sentry database for our organization, even if SP Initiated SAML workflow did not succeed. Depending on the complexity of the database, this may be feasible, but I don't know if this a practice at all.
• Negotiating with our SSO team and Security to remove the WantAuthnRequestsSigned=true constraint while we set up the SSO. Then, if IDP initiated mode is working correctly, we can put back the option in place and IDP initiated should still work. This could be the fastest solution if it is feasible with ISAM, and some internal support to validate the temporary exception. I'll start to look into it in parallel.
• Having an option to activate SAML without validating a full SAML SP initiated workflow. In term of implementation for sentry's code, that might be the simplest. However it is also a dangerous option, maybe hidden behind an organization wide feature flag. It would be a solution for use case were only IDP initiated SAML is supported.
• Supporting WantAuthnRequestsSigned=true. It would mean adding more option in the current SAML setup, with inputs for certificate. This would increase complexity, and since it is a feature often not supported with major providers, I don't think it is a viable path.

Product Area

Settings - Auth

[getsantry[bot]]

Assigning to @getsentry/support for routing ⏲️

[getsantry[bot]]

Routing to @getsentry/product-owners-settings-auth for triage ⏲️

[leedongwei]

Hello! Can you reach out to support@sentry.io? The after-sales support team will help you with the setup.

We'll probably opt to unblock you quickly with a manual setup.

[dixneuf19]

Hi @leedongwei

We are already in contact with support team by mail and zendesk, and they asked us to create this issue.

Anyway, it is a way to clarify the situation for everyone. I'll ping back the support team.

[leedongwei]

@dixneuf19 Gotcha, I've reached out to the SE on your account. We need some info from your side, and I'll work with the Ops team to manually put it into the DB. If you can send us the info by today, I can unblock you by Mon/Tue.

[waitingwu]

@dixneuf19 We also encountered this issue with Sentry Self-Hosted. Did you find a way to disable ISAM signing check while Sentry not supporting it currently?

[dixneuf19]

Hi @waitingwu

The solution to disable ISAM signing check has been rejected by the IDP team, since it would be a global option for all apps using the IDP, not just Sentry...

The real workaround we have (and it now works) was going through Sentry support team, which manually activated (through database operations ?) SAML, without going through the whole SAML SP iniated workflow.

Note that it seems that once SAML is activated, you can modify its parameters without going through the SP initiated workflow. It means that another workaround is adding a temporary other SAML idp to active SAML in Sentry, then configuring it with the problematic IDP.

[leedongwei]

@waitingwu For self-hosted, you use this script through Django shell.

from sentry.models.authprovider import AuthProvider
from sentry.models.organization import Organization

target_config = {
  "attribute_mapping": {
    "last_name": "lastName",
    "first_name": "firstName",
    "identifier": "identifier",
    "user_email": "emailAddress"
  },
  "idp": {
    "sso_url": "https://www.YOUR_DOMAIN.com/YOUR_SSO_URL",
    "entity_id": "YOUR_ENTITY_ID",
    "x509cert": "YOUR_x509_CERT",
    "slo_url": null  # Optional 
  }
}

target_org = Organization.objects.get(id=YOUR_ORG_ID, slug="YOUR_ORG_SLUG")
target_provider = AuthProvider.objects.create(
    organization_id=target_org.id, provider="saml2", config=target_config
)