search

getsentry / sentry

Developer-first error tracking and performance monitoring
https://sentry.io
Other
39.23k stars 4.21k forks source link

SAML2 Assertion Encryption #75816

Open beninabox opened 3 months ago

beninabox commented 3 months ago

Environment

self-hosted (https://develop.sentry.dev/self-hosted/)

What are you trying to accomplish?

I'm configuring SSO via a generic SAML provider. All works well, but our company requires SAML Assertion Encryption which I'm struggling to setup. I would like to setup an x509 certificate for this purpose.

How are you getting stuck?

So far that I can tell, there doesn't appear to be a way to configure a x509 certificate for this purpose. Either I'm not reading into the documentation correctly, or alternatively it is not supported by Sentry's SAML config. Any idea which it could be? If it's possible, would I be able to get some guidance on how?

Where in the product are you?

Settings - Auth

Link

No response

DSN

No response

Version

24.7.1

getsantry[bot] commented 3 months ago

Assigning to @getsentry/support for routing ⏲️

getsantry[bot] commented 3 months ago

Routing to @getsentry/product-owners-settings-auth for triage ⏲️

leedongwei commented 3 months ago

Hello!

Is there a different format of x509 certificate? Or are you trying to insert a x509 certificate in the config during setup?

If you click IdP Data during setup, you can insert it manually.

Image

beninabox commented 3 months ago

Thanks for the quick response. This would be a different x509 certificate. The one that is in the screenshot would be the certificate of the identity provider, to my understanding.

The SAML response from the IdP would contain private data and is usually transmitted over SSL. SAML Assertion Encryption is designed to protect the privacy of the data after it arrives at the other end of the SSL pipe. Sentry is commonly hosted with a load balancer in front which does SSL termination, so sending that response unencrypted between the balancer and Sentry via a VPC is potentially seen as insecure - for instance my company is in the financial sector, where security is fairly tight.

The way it would be implemented, to my knowledge, is that a separate x509 certificate is generated and stored on the service provider (Sentry). The public key is stored on the IdP and SAML assertion is encrypted, returned to the service provider (Sentry). The load balancer would terminate SSL as usual, and forward the encrypted assertion to Sentry, where it is decrypted.

This is my broad understanding as someone who hasn't worked with SAML much before, details should be fairly accurate from my reading. I found it useful reading this SO article and also GitLabs documentation, where they have a similar setup.

leedongwei commented 3 months ago

Gotcha. We don't support your use-case right now.

I'm prepping for a review of our authentication services later this year, I'll add this to the list of product requirements.

beninabox commented 3 months ago

No worries. Thanks for the info and would love to see this in the future! Have a great day