getsentry / sentry

Developer-first error tracking and performance monitoring
https://sentry.io
Other
39.03k stars 4.19k forks source link

Sentry doesn't sign SAML2 Auth requests #67371

Open IvanovOleg opened 7 months ago

IvanovOleg commented 7 months ago

Environment

self-hosted (https://develop.sentry.dev/self-hosted/)

Steps to Reproduce

Keycloak configured with following idp metadata:

<md:EntityDescriptor
    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://keycloak-rhsso-operator.apps-crc.testing/auth/realms/test">
    <md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo>
                <ds:KeyName>h49uzRoak2d34nMt60aw8doL_F8fy5HcYDaX-RbtQgY</ds:KeyName>
                <ds:X509Data>
                    <ds:X509Certificate>MIIClzCCAX8CBgGOJVmQejANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARuY2JpMB4XDTI0MDMwOTIyMzE1MFoXDTM0MDMwOTIyMzMzMFowDzENMAsGA1UEAwwEbmNiaTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAISfj/kRSxezCHWMLuqRL1TzvHGDIPqHgOSi/ajnLv9eprIwb79QCH5SqOhloWOuSu78+xPP1hxAVxoKNAfLe4tWn8DArqyilGPK8PYfy6/0W/WjCRcOxAqyXIbOSTCw+6QUHSf/tjfR3Wldic9T/ofu4At2ASPUOw3W3BKcGfz9n3BVA8wWardUEenu++PENZLJnUe9QurkirsxUaVi6HrZfKDYQRQRxT73nf6CrHLdlZEnTNRfVAM0yj87/kAP5Y1CokPVVNLG7mTxFH+8VVPkvRORMqV8sWi4oiaMi4uzKYcVdgBbyJ8xVQ2sNuyHWf8pwtazLx3foQ111TO5MX8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAL8M8rPJMWhFcncpgBipboVYl1oZhWNiDHHOR2U5uTk5RJR7j4jSVPmJIQztav/2nR39fs76NEBaDsnr8yIDke92w2etQr33IteEc+6Xqsao5i85IFB+yCAozuXUPRFXvs22kfye418oKI0aSVZ9qiQ79/YvO7S0N/WU+Ir5zXuqUsV+iCSkba0P8LnKmT8nFSW6CiViF626ftorp2itY6bZfG4zskF8MBwP2tRNw6mnKX9bZ5YXplkGfG8obUUkZtsenaZxOOHkQSB3E6OBLvRhlsRq0A0irIH0jixHapEO/NzvFznGqIMjSenwIIO030yJmJLF1pw4dcYlDgX8q7w==</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak-rhsso-operator.apps-crc.testing/auth/realms/test/protocol/saml/resolve" index="0"/>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak-rhsso-operator.apps-crc.testing/auth/realms/test/protocol/saml"/>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak-rhsso-operator.apps-crc.testing/auth/realms/test/protocol/saml"/>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak-rhsso-operator.apps-crc.testing/auth/realms/test/protocol/saml"/>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak-rhsso-operator.apps-crc.testing/auth/realms/test/protocol/saml"/>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak-rhsso-operator.apps-crc.testing/auth/realms/test/protocol/saml"/>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak-rhsso-operator.apps-crc.testing/auth/realms/test/protocol/saml"/>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak-rhsso-operator.apps-crc.testing/auth/realms/test/protocol/saml"/>
    </md:IDPSSODescriptor>
</md:EntityDescriptor>

Expected Result

<samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfxf0a222fd-67f3-223d-4c15-502862b7b639" Version="2.0" IssueInstant="2024-03-20T20:01:12Z" Destination="https://keycloak-rhsso-operator.apps-crc.testing/auth/realms/test/protocol/saml" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://sentry-sentry.apps-crc.testing/saml/acs/sentry/">
    <saml:Issuer>https://sentry-sentry.apps-crc.testing/saml/metadata/sentry/</saml:Issuer>
    <ds:Signature
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#pfxf0a222fd-67f3-223d-4c15-502862b7b639">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>glTHArD4UXVRlA7gnYpKjstJvaQ=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>CqluMzec1h4SwDt6ObmVE23RGe8+0TLRXO6YNANWmgnuqDQ3REWfhlZxZrjVvEia2EzVbbb0ZjwjZovjCFMG2A/U3SJv8K2WsRHF6G9Ehws0GEHDaAS+z+KJA8BsoR15dtAio6cs9QZV7WSN/On2H0lpqtBd2u+xTlEBzUMWxVYxkPOmMcIzajt39V/C7jp+Pl5f1tXGtuvM0Urq1xPVFT4NUuCwPI6qAvNYR3Jcruxrg3EeFlGKrFsaU7RQccZ57ZJqzxj6tfnlKoqx0/Gw1HoUctbaeF4bBsEAq5eZpkHgcDP3Uj20FqToOIyw3XzNVom5zVbCf4Dkt2oVhbgDvw==</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIDBTCCAe0CBgGOJW+C4jANBgkqhkiG9w0BAQsFADBGMUQwQgYDVQQDDDtodHRwOi8vc2VudHJ5LXNlbnRyeS5hcHBzLWNyYy50ZXN0aW5nL3NhbWwvbWV0YWRhdGEvc2VudHJ5LzAeFw0yNDAzMDkyMjU1NDhaFw0zNDAzMDkyMjU3MjhaMEYxRDBCBgNVBAMMO2h0dHA6Ly9zZW50cnktc2VudHJ5LmFwcHMtY3JjLnRlc3Rpbmcvc2FtbC9tZXRhZGF0YS9zZW50cnkvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxz335/yRmMa+hoLWbNSLO/O/zjLj5qAxVWgfnQ1aTxeGphSswSXCA8aGqYHwCXPFkGy7Vw5ZgYSqACVEgoyZL4ieipk9li8nFqRVDrS/nNmYD4LlAZFWlWUXPQJw5NZI5l+wbGS8OSYxjuvJHgl4VhAAJT1+QZxX5qie/DymwPTcmt/Og572GuzEmstnTOO4mSblPbAk1k4ISU5nIBpDroKyBIYm5nVdWC40KWpMqZhnKnzDuIXDdCofQujsHohkHswsaB3iMyPuvcwJ2iAHvEFWA+cL5A+pj00XVahpMP7uFBCE0BIq+H+DOs5qQd4wTn76y/G+1ZGlPcKP9+/BtQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQC6biw7jtIObCb/W2CZ9uJmpVQf5jfSnVMdLKqs5UUMH1Yy5LlefVFiaxfJ+C1JkbfdOHv80jOzXOfE5wcVLfDIH4HppsHN0pPthj0zV9TNjeMV/Oh3vXQUdMeEmISExWxplvi2/S738D+fgpajd6h/90ww3irfvCXDBK1jINA9NHYiZQc5nppFuN48PgW1YowtYjTAqz5F6BFsJsHW6cx+X+QGTpKTr4VID/l5UgLVLyTIONOGRJZuwUUYWH2bapH9vIRGZ2O3ueDJvFiTrEzEQd+SJDUKwKnIQVkdn/7OJWYoD1VAsvfaRdsoc9HgQQ6LFKt9InyZ+5vScTFIsq91</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/>
</samlp:AuthnRequest>

Actual Result

<samlp:AuthnRequest
  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  ID="ONELOGIN_1d8872cb2787be732a3a8b061a797bbb042f74e6"
  Version="2.0"
  IssueInstant="2024-03-20T20:01:12Z"
  Destination="https://keycloak-rhsso-operator.apps-crc.testing/auth/realms/test/protocol/saml"
  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  AssertionConsumerServiceURL="https://sentry-sentry.apps-crc.testing/saml/acs/sentry/">
    <saml:Issuer>https://sentry-sentry.apps-crc.testing/saml/metadata/sentry/</saml:Issuer>
    <samlp:NameIDPolicy
        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
        AllowCreate="true" />

</samlp:AuthnRequest>

Product Area

Settings - Auth

Link

No response

DSN

No response

Version

24.2.0

getsantry[bot] commented 7 months ago

Assigning to @getsentry/support for routing ⏲️

getsantry[bot] commented 7 months ago

Routing to @getsentry/product-owners-settings-auth for triage ⏲️

leedongwei commented 7 months ago

Hello. Thanks for the feature request. Unfortunately, we are unlikely to prioritize work to enable WantAuthnRequestsSigned. There is a workaround in this thread: https://github.com/getsentry/sentry/issues/61522#issuecomment-1868104478