I’ve setup Sentry on-prem on a VM using the standard install.sh script. My main goal ATM is to use our internal Microsoft ADFS to authenticate users.
The first issue was that I had to set “SENTRY_SINGLE_ORGANIZATION = False” in sentry.conf.py in order to have the SSO pane show up on the UI. NBD, easy change.
The second issue I ran into was that Microsoft AD requires the metadata endpoint to be a secure endpoint before it will successfully register a new organization. I struggled to get Sentry’s Nginx configured to do this and upon further research read that Sentry recommends that we setup another Nginx in front of Sentry’s to perform TLS termination/proxying. Did that, but then the SAML metadata for my organization located at https://my-sentry.domain/saml/metadata/my-org/ had a whole bunch of insecure references to the localhost (i.e. http://localhost:9000/saml/sls/my-org/ ) vs secure references with my domain name (i.e. https://my-sentry.domain/saml/sls/my-org/).
I “fixed” that by using the Nginx substitution module on the Nginx I setup in front of Sentry’s Nginx, to replace the http://localhost:9000/saml entries in the XML being returned to ADFS with https://my-sentry.domain/saml.
This made AD happy, but now when I try to Configure Active Directory from the UI for my-org it spits out an error showing the insecure http://localhost:9000/saml address:
Error details: MSIS7007: The requested relying party trust 'http://localhost:9000/saml/metadata/my-org/' is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details.
How do I configure things to where the request above to my ADFS doesn’t include http://localhost:9000?