Multiple SSO based login

mayukuse24 · December 14, 2018, 11:12am

Does Sentry 9.0 support multiple SSO based login enabled at the same time (google Oauth2 + SAML2) ? I am unable to view SAML2 auth settings for Rippling with google SSO enabled.

zeeg · December 14, 2018, 8:13pm

It does not - SSO is assumed to be a singular identity system, and we don’t support (or have plans to support) enabling multiple providers.

mayukuse24 · December 15, 2018, 6:57am

Hey zeeg thanks for the quick reply.

How would I go about switching SSO provider when SSO is enforced? Since I cannot setup Rippling without removing google auth, and disabling google auth would lock me out?

zeeg · December 17, 2018, 5:38pm

Are you on Sentry.io or self hosted? There’s a process in current version of Sentry that supports disconnect.

mayukuse24 · December 17, 2018, 6:04pm

I am using on-premise sentry. Could you direct me to where the disconnect option is provided?

zeeg · December 17, 2018, 7:11pm

It might not be as smooth in the version you’re running, but you can just disable SSO and enable the new one. We should generally handle transition of accounts as long as they’re the same email address.

mayukuse24 · December 18, 2018, 6:08am

Okay I will try that. But SAML2 based SSO like rippling needs to be configured from within Sentry. However configuring it requires me to login, which will not be possible when Google SSO is disabled? And I cannot configure Rippling until I disable Google SSO since the configuration settings will not show up in Auth settings?

Little hesistant to try since I might lock everyone out

jhermann · December 18, 2018, 12:33pm

Technically, a Chain-of-responsibility auth plugin should be possible, try several auth sources one by one in a given order (priority). Needs some effort invested though.

Another thing would be to still allow and check local accounts when SSO is active. Both GitLab and Artifactory work that way.

zeeg · December 18, 2018, 6:02pm

We do allow local accounts already. I dont recall what 9.0 works but there’s two things:

if your account is fully managed, and that version doesn’t allow it to be automatically unmanaged, you can update the database row to change managed to FALSE
Again, depending on what 9.0 does, you may already have a password on your account, or you can always set/reset the password upon SSO change. We also dont force log you out when you disable SSO.

I’d recommend checking #2 first, and possibly even doing #1 before you disable it. From there you can setup the new Auth, and worst case you can simply re-enable the old auth. The intention within Sentry is that we automatically merge identities with the same email address given validity behind them, so things are generally seamless. Again, the caveat behind I don’t recall what your exact version does

Topic		Replies	Views
Google and Password login On-Premise	0	1416	May 9, 2019
SSO multiple domains (via gitlab authentification) Integrations	0	715	November 24, 2021
On-Prem 9.1.1, no way to get SSO (SAML2) working On-Premise	2	2108	April 6, 2020
Disabled Google SSO Integrations	1	806	January 26, 2022
[on-prem] remove SSO without web ui	0	658	December 6, 2021

Multiple SSO based login

Related Topics