SAML Certificate Rollover

Hi.
We’re experiencing an issue about not being able to log in to our self-hosted Sentry 20.7.2 using SAML auth method, because the certificate on our ADFS server had been updated recently.
The message we see is Authentication error: SAML SSO failed, Signature validation failed. SAML Response rejected.
Is there a way to change the x509cert by editing the auth configuration via Shell from web container without reconfiguring it from scratch?
And if there is no way to do it, what will happen to existing users, if we delete the configuration using * AuthProvider.objects.all().delete()* and recreate it again? Will they have to link their accounts again?

2 Likes

I’ve just run into the same problem! Could you share how did you solve it?

Fortunately, we just found an authentificated user with an Owner role, and changed the SAML configuration with his account.

I’ve tried the same workaround: disabled and reenabled SAML-Integration but all I get is the same error Signature Validation failed message. Did you run * AuthProvider.objects.all().delete() * before changing SAML configuration?

In Sentry-Web-Container I found:
func=xmlSecOpenSSLEvpSignatureVerify:file=evp_signatures.c:line=370:obj=rsa-sha256:subj=unknown:error=18:data do not match:details=EVP_VerifyFinal: signature does not verify

I’m running 20.12.1 onpremise

No, we didn’t. We just replaced x509cert using UI.

1 Like

It worked by using the IdP Data tab. When using the provide raw XML Metadata I’ve got the same error. Thanks