SAML logout does not work

On-Premise
1

Hello,

I configured SAML and keycloak login.

My Keycloak configuration looks like this:

{
    "clientId": "https://sentry.domain.com/saml/metadata/example/",
    "name": "sentry.domain.com",
    "rootUrl": "https://sentry.domain.com",
    "adminUrl": "",
    "baseUrl": "/",
    "surrogateAuthRequired": false,
    "enabled": true,
    "alwaysDisplayInConsole": false,
    "clientAuthenticatorType": "client-secret",
    "redirectUris": [
        "*"
    ],
    "webOrigins": [],
    "notBefore": 0,
    "bearerOnly": false,
    "consentRequired": false,
    "standardFlowEnabled": true,
    "implicitFlowEnabled": false,
    "directAccessGrantsEnabled": false,
    "serviceAccountsEnabled": false,
    "publicClient": false,
    "frontchannelLogout": false,
    "protocol": "saml",
    "attributes": {
        "saml.force.post.binding": "false",
        "saml.multivalued.roles": "false",
        "oauth2.device.authorization.grant.enabled": "false",
        "backchannel.logout.revoke.offline.tokens": "false",
        "saml.server.signature.keyinfo.ext": "false",
        "use.refresh.tokens": "true",
        "saml.signing.certificate": "--- Cert ---",
        "oidc.ciba.grant.enabled": "false",
        "backchannel.logout.session.required": "false",
        "client_credentials.use_refresh_token": "false",
        "saml.signature.algorithm": "RSA_SHA256",
        "require.pushed.authorization.requests": "false",
        "saml.client.signature": "false",
        "saml.signing.private.key": "--- Cert ---",
        "id.token.as.detached.signature": "false",
        "saml.assertion.signature": "false",
        "saml.encrypt": "false",
        "saml_assertion_consumer_url_post": "https://sentry.domain.com/saml/acs/example/",
        "saml.server.signature": "true",
        "saml_idp_initiated_sso_url_name": "sentry.domain.com",
        "exclude.session.state.from.auth.response": "false",
        "saml.artifact.binding.identifier": "ffdgfggdsfhdfgh",
        "saml.artifact.binding": "false",
        "saml_single_logout_service_url_redirect": "https://sentry.domain.com/saml/sls/example/",
        "saml_force_name_id_format": "false",
        "tls.client.certificate.bound.access.tokens": "false",
        "saml.authnstatement": "true",
        "display.on.consent.screen": "false",
        "saml_name_id_format": "email",
        "saml.onetimeuse.condition": "false",
        "saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#"
    },
    "authenticationFlowBindingOverrides": {},
    "fullScopeAllowed": true,
    "nodeReRegistrationTimeout": -1,
    "protocolMappers": [
        {
            "name": "email",
            "protocol": "saml",
            "protocolMapper": "saml-user-property-mapper",
            "consentRequired": false,
            "config": {
                "attribute.nameformat": "Basic",
                "user.attribute": "email",
                "friendly.name": "Email",
                "attribute.name": "email"
            }
        },
        {
            "name": "last_name",
            "protocol": "saml",
            "protocolMapper": "saml-user-property-mapper",
            "consentRequired": false,
            "config": {
                "attribute.nameformat": "Basic",
                "user.attribute": "lastName",
                "friendly.name": "Last Name",
                "attribute.name": "last_name"
            }
        },
        {
            "name": "first_name",
            "protocol": "saml",
            "protocolMapper": "saml-user-property-mapper",
            "consentRequired": false,
            "config": {
                "attribute.nameformat": "Basic",
                "user.attribute": "firstName",
                "friendly.name": "First Name",
                "attribute.name": "first_name"
            }
        },
        {
            "name": "username",
            "protocol": "saml",
            "protocolMapper": "saml-user-property-mapper",
            "consentRequired": false,
            "config": {
                "attribute.nameformat": "Basic",
                "user.attribute": "username",
                "friendly.name": "Username",
                "attribute.name": "username"
            }
        }
    ],
    "defaultClientScopes": [],
    "optionalClientScopes": [],
    "access": {
        "view": true,
        "configure": true,
        "manage": true
    }
}

I have the Sentry configuration according to the instructions: How to Setup SAML2 Authentication on Sentry with Keycloak - yyhh.org

Everything works except logging out.
If I log out in Sentry in SAML the provaider will remain logged in.
If I log out of the SAML provaider in Sentry, I will stay logged in.

2

Which version of Sentry are you using?

3

Sentry 21.8.0

4

Okay, I’ll ping our enterprise team as I don’t know how SAML works. Stay tight :slight_smile:

1 Like
5

Hello @barneby

Thanks for reaching out!

Sentry does not support SP-initiated logout (i.e. if you log out of Sentry, we will not bubble that up to your identity provider).

KeyCloak does not support IdP-initiated logout for SAML clients (see doc here).

Unfortunately, this seems to be one of those SNAFU cases that’s usual for SAML.

I don’t think it’s ideal to have a dangling Sentry session when a IdP session has expired. We have a ticket on backlog where Sentry will accept a “session timeout” value during login. We’ll look into prioritizing that.

1 Like
6

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.