Multiple SSO based login


#1

Does Sentry 9.0 support multiple SSO based login enabled at the same time (google Oauth2 + SAML2) ? I am unable to view SAML2 auth settings for Rippling with google SSO enabled.


#2

It does not - SSO is assumed to be a singular identity system, and we don’t support (or have plans to support) enabling multiple providers.


#3

Hey zeeg thanks for the quick reply.

How would I go about switching SSO provider when SSO is enforced? Since I cannot setup Rippling without removing google auth, and disabling google auth would lock me out?


#4

Are you on Sentry.io or self hosted? There’s a process in current version of Sentry that supports disconnect.


#5

I am using on-premise sentry. Could you direct me to where the disconnect option is provided?


#6

It might not be as smooth in the version you’re running, but you can just disable SSO and enable the new one. We should generally handle transition of accounts as long as they’re the same email address.


#7

Okay I will try that. But SAML2 based SSO like rippling needs to be configured from within Sentry. However configuring it requires me to login, which will not be possible when Google SSO is disabled? And I cannot configure Rippling until I disable Google SSO since the configuration settings will not show up in Auth settings?

Little hesistant to try since I might lock everyone out :stuck_out_tongue:


#8

Technically, a Chain-of-responsibility auth plugin should be possible, try several auth sources one by one in a given order (priority). Needs some effort invested though.

Another thing would be to still allow and check local accounts when SSO is active. Both GitLab and Artifactory work that way.


#9

We do allow local accounts already. I dont recall what 9.0 works but there’s two things:

  1. if your account is fully managed, and that version doesn’t allow it to be automatically unmanaged, you can update the database row to change managed to FALSE

  2. Again, depending on what 9.0 does, you may already have a password on your account, or you can always set/reset the password upon SSO change. We also dont force log you out when you disable SSO.

I’d recommend checking #2 first, and possibly even doing #1 before you disable it. From there you can setup the new Auth, and worst case you can simply re-enable the old auth. The intention within Sentry is that we automatically merge identities with the same email address given validity behind them, so things are generally seamless. Again, the caveat behind I don’t recall what your exact version does :slight_smile: