Hello,
I configured SAML and keycloak login.
My Keycloak configuration looks like this:
{
"clientId": "https://sentry.domain.com/saml/metadata/example/",
"name": "sentry.domain.com",
"rootUrl": "https://sentry.domain.com",
"adminUrl": "",
"baseUrl": "/",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"*"
],
"webOrigins": [],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": false,
"publicClient": false,
"frontchannelLogout": false,
"protocol": "saml",
"attributes": {
"saml.force.post.binding": "false",
"saml.multivalued.roles": "false",
"oauth2.device.authorization.grant.enabled": "false",
"backchannel.logout.revoke.offline.tokens": "false",
"saml.server.signature.keyinfo.ext": "false",
"use.refresh.tokens": "true",
"saml.signing.certificate": "--- Cert ---",
"oidc.ciba.grant.enabled": "false",
"backchannel.logout.session.required": "false",
"client_credentials.use_refresh_token": "false",
"saml.signature.algorithm": "RSA_SHA256",
"require.pushed.authorization.requests": "false",
"saml.client.signature": "false",
"saml.signing.private.key": "--- Cert ---",
"id.token.as.detached.signature": "false",
"saml.assertion.signature": "false",
"saml.encrypt": "false",
"saml_assertion_consumer_url_post": "https://sentry.domain.com/saml/acs/example/",
"saml.server.signature": "true",
"saml_idp_initiated_sso_url_name": "sentry.domain.com",
"exclude.session.state.from.auth.response": "false",
"saml.artifact.binding.identifier": "ffdgfggdsfhdfgh",
"saml.artifact.binding": "false",
"saml_single_logout_service_url_redirect": "https://sentry.domain.com/saml/sls/example/",
"saml_force_name_id_format": "false",
"tls.client.certificate.bound.access.tokens": "false",
"saml.authnstatement": "true",
"display.on.consent.screen": "false",
"saml_name_id_format": "email",
"saml.onetimeuse.condition": "false",
"saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"protocolMappers": [
{
"name": "email",
"protocol": "saml",
"protocolMapper": "saml-user-property-mapper",
"consentRequired": false,
"config": {
"attribute.nameformat": "Basic",
"user.attribute": "email",
"friendly.name": "Email",
"attribute.name": "email"
}
},
{
"name": "last_name",
"protocol": "saml",
"protocolMapper": "saml-user-property-mapper",
"consentRequired": false,
"config": {
"attribute.nameformat": "Basic",
"user.attribute": "lastName",
"friendly.name": "Last Name",
"attribute.name": "last_name"
}
},
{
"name": "first_name",
"protocol": "saml",
"protocolMapper": "saml-user-property-mapper",
"consentRequired": false,
"config": {
"attribute.nameformat": "Basic",
"user.attribute": "firstName",
"friendly.name": "First Name",
"attribute.name": "first_name"
}
},
{
"name": "username",
"protocol": "saml",
"protocolMapper": "saml-user-property-mapper",
"consentRequired": false,
"config": {
"attribute.nameformat": "Basic",
"user.attribute": "username",
"friendly.name": "Username",
"attribute.name": "username"
}
}
],
"defaultClientScopes": [],
"optionalClientScopes": [],
"access": {
"view": true,
"configure": true,
"manage": true
}
}
I have the Sentry configuration according to the instructions: How to Setup SAML2 Authentication on Sentry with Keycloak - yyhh.org
Everything works except logging out.
If I log out in Sentry in SAML the provaider will remain logged in.
If I log out of the SAML provaider in Sentry, I will stay logged in.