search

getsentry / sentry

Developer-first error tracking and performance monitoring
https://sentry.io
Other
39.3k stars 4.21k forks source link

SSO Bypass #80548

Open darkfortressAU opened 2 months ago

darkfortressAU commented 2 months ago

Problem Statement

In other products you can bypass SSO if you make a mistake or something changes in the infrastructure. However in Sentry their appears to be no documented way to bypass this.

User story:

Developers schedule a change on ADFS cert for public key roll over Sentry admin updates production but forgets to update test system Developers roll over certificate on ADFS system Sentry test user unable to log in and correct issue after the session has expired

Solution Brainstorm

API to hit with a top level administrators details that can disable the SSO check and use the password. A value that can be placed in the sentry.conf file and a new install run to delete/disable the SSO component

Yes this does present a slight security issue however a user would require a top level account or access to the server

bc-sentry commented 2 weeks ago

Assigning to getsentry/sentry for product area triage.

getsantry[bot] commented 2 weeks ago

Routing to @getsentry/product-owners-settings-auth for triage ⏲️

getsantry[bot] commented 2 weeks ago

Assigning to @getsentry/support for routing ⏲️

leedongwei commented 2 weeks ago

@darkfortressAU Thanks for the report! We are aware of this limitation and it is a key user story for us to address in our authentication rework. We are in the middle of planning it now but cannot promise timelines on delivery yet.

leedongwei commented 2 weeks ago

In the meantime, if anyone finds themselves locked out of Sentry, please reach out to support@sentry.io and I can help you update the config/certs.

darkfortressAU commented 2 weeks ago

That doesn’t work for on prem. On 14 Nov 2024, at 05:11, Danny Lee @.> wrote: In the meantime, if anyone finds themselves locked out of Sentry, please reach out to @. and I can help you update the config/certs.

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: @.***>

leedongwei commented 1 week ago

If you're using self-hosted, you can delete the rows on sentry_authprovider table. If you have more than 1 organization on the instance, you'll need to include organization_id in the SQL statement