SAML2 authentication - Just in Time Provisioning not working

grahamb · June 2, 2020, 9:18pm

I have set up a new Sentry 10 server using the getsentry/onpremise Docker setup (using an external, non-dockerized Postgres server). There is currently one account, the super-user account that was configured by the installation script (sentry@sfu.ca).

I was able to configure SAML2 authentication against our Shibboleth identity provider. When I log in through my IdP, an account is not provisioned for me; instead, I am logged in as the sentry@sfu.ca admin user. There is only one user in the auth_user table in the database, the super-user.

This gist contains the log from the web container during the login attempt (showing that it logged me in as the super-user), and the SAML response returned by my IdP to Sentry.

gist.github.com

https://gist.github.com/grahamb/4ae42200d99a8a2b9371b8f94c90dd58

saml_response.xml

<saml2p:Response Destination="https://sentry.its.sfu.ca/saml/acs/it-services/"
                 ID="_5db172e158dfd2ca31d42cbbe62b019b"
                 InResponseTo="ONELOGIN_bcef36bb7e0e85f4d4ee815bd9820d37247846b3"
                 IssueInstant="2020-06-02T21:10:01.396Z"
                 Version="2.0"
                 xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                 xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                 >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp-stage.its.sfu.ca/idp/shibboleth</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

This file has been truncated. show original

web.log

web_1                      | 2020-06-02T21:07:47.588975370Z 21:07:47 [INFO] sentry.superuser: superuser.logged-in (user_id=1 ip_address=u'142.58.229.253')
web_1                      | 2020-06-02T21:07:47.589373072Z 21:07:47 [INFO] sentry.auth: user.auth.success (username=u'sentry@sfu.ca' organization_id=2L ip_address=u'142.58.229.253')
web_1                      | 2020-06-02T21:07:47.590870634Z /usr/local/lib/python2.7/site-packages/sentry/utils/auth.py:142: RemovedInDjango21Warning: The host argument is deprecated, use allowed_hosts instead.
web_1                      | 2020-06-02T21:07:47.590885286Z   return is_safe_url(url, host=host)
web_1                      | 2020-06-02T21:07:47.648116315Z 21:07:47 [INFO] sentry.superuser: superuser.request (user_id=1 url=u'http://sentry.its.sfu.ca/' method=u'GET' ip_address=u'142.58.229.253')
web_1                      | 2020-06-02T21:07:47.771016526Z 21:07:47 [INFO] sentry.superuser: superuser.request (user_id=1 url=u'http://sentry.its.sfu.ca/organizations/it-services/issues/' method=u'GET' ip_address=u'142.58.229.253')
web_1                      | 2020-06-02T21:07:48.338323032Z 21:07:48 [INFO] sentry.superuser: superuser.request (user_id=1 url=u'http://sentry.its.sfu.ca/api/0/organizations/it-services/?detailed=0' method=u'GET' ip_address=u'142.58.229.253')
web_1                      | 2020-06-02T21:07:48.395589363Z 21:07:48 [INFO] sentry.superuser: superuser.request (user_id=1 url=u'http://sentry.its.sfu.ca/api/0/organizations/?member=1' method=u'GET' ip_address=u'142.58.229.253')
web_1                      | 2020-06-02T21:07:48.401914369Z 21:07:48 [INFO] sentry.superuser: superuser.request (user_id=1 url=u'http://sentry.its.sfu.ca/api/0/internal/health/' method=u'GET' ip_address=u'142.58.229.253')
web_1                      | 2020-06-02T21:07:48.409020211Z 21:07:48 [INFO] sentry.superuser: superuser.request (user_id=1 url=u'http://sentry.its.sfu.ca/api/0/assistant/?v2' method=u'GET' ip_address=u'142.58.229.253')

This file has been truncated. show original

The Attribute Mappings configure in Sentry match those in the SAML response:
IdP User ID -> urn:oid:0.9.2342.19200300.100.1.1 (FriendlyName=uid)
User Email -> urn:oid:0.9.2342.19200300.100.1.3 (FriendlyName=mail)
First Name -> urn:oid:2.5.4.42 (FriendlyName=givenName)
Last Name -> urn:oid:2.5.4.4 (FriendlyName=sn)

Require SSO is checked, and Default Role is set to Member.

Any advice or pointers is appreciated.

grahamb · June 3, 2020, 5:25pm

I tried blowing away everything and re-creating the containers; the issue still persists.

I’ve also tried inviting myself using my email address. I receive the email; clicking the link takes me to a page telling me that I “may create an account by authenticating with the organizations [sic] SSO provider”. Clicking the Join with SAML2 button takes my to our IdP login; after logging in, I’m logged into Sentry as the super-user.

grahamb · June 3, 2020, 6:29pm

I’ve also tried wiping out the v10 containers and installing 9.1.2 with the “git+https://github.com/getsentry/sentry-auth-saml2.git@master#egg=sentry-auth-saml2” in requirements.txt. It throws an error when trying to save the SAML2 config:

web_1        | 2020-06-03T18:28:22.373078807Z Traceback (most recent call last):
web_1        | 2020-06-03T18:28:22.373109624Z   File "/usr/local/lib/python2.7/site-packages/django/core/handlers/base.py", line 112, in get_response
web_1        | 2020-06-03T18:28:22.373113325Z     response = wrapped_callback(request, *callback_args, **callback_kwargs)
web_1        | 2020-06-03T18:28:22.373115900Z   File "/usr/local/lib/python2.7/site-packages/django/views/generic/base.py", line 69, in view
web_1        | 2020-06-03T18:28:22.373118279Z     return self.dispatch(request, *args, **kwargs)
web_1        | 2020-06-03T18:28:22.373120630Z   File "/usr/local/lib/python2.7/site-packages/django/views/decorators/csrf.py", line 57, in wrapped_view
web_1        | 2020-06-03T18:28:22.373123051Z     return view_func(*args, **kwargs)
web_1        | 2020-06-03T18:28:22.373125171Z   File "/usr/local/lib/python2.7/site-packages/sentry/web/frontend/base.py", line 225, in dispatch
web_1        | 2020-06-03T18:28:22.373127322Z     return self.handle(request, *args, **kwargs)
web_1        | 2020-06-03T18:28:22.373129322Z   File "/usr/local/lib/python2.7/site-packages/django/db/transaction.py", line 371, in inner
web_1        | 2020-06-03T18:28:22.373131473Z     return func(*args, **kwargs)
web_1        | 2020-06-03T18:28:22.373133526Z   File "/usr/local/lib/python2.7/site-packages/sentry/web/frontend/organization_auth_settings.py", line 212, in handle
web_1        | 2020-06-03T18:28:22.373135749Z     return helper.current_step()
web_1        | 2020-06-03T18:28:22.373137684Z   File "/usr/local/lib/python2.7/site-packages/sentry/auth/helper.py", line 630, in current_step
web_1        | 2020-06-03T18:28:22.373139808Z     helper=self,
web_1        | 2020-06-03T18:28:22.373141819Z   File "/usr/local/lib/python2.7/site-packages/django/views/decorators/csrf.py", line 57, in wrapped_view
web_1        | 2020-06-03T18:28:22.373143978Z     return view_func(*args, **kwargs)
web_1        | 2020-06-03T18:28:22.373145941Z   File "/usr/local/lib/python2.7/site-packages/sentry/web/frontend/base.py", line 225, in dispatch
web_1        | 2020-06-03T18:28:22.373148048Z     return self.handle(request, *args, **kwargs)
web_1        | 2020-06-03T18:28:22.373150015Z   File "/usr/local/lib/python2.7/site-packages/sentry_auth_saml2/generic/views.py", line 70, in handle
web_1        | 2020-06-03T18:28:22.373152125Z     return helper.next_step()
web_1        | 2020-06-03T18:28:22.373154164Z   File "/usr/local/lib/python2.7/site-packages/sentry/auth/helper.py", line 638, in next_step
web_1        | 2020-06-03T18:28:22.373156292Z     return self.current_step()
web_1        | 2020-06-03T18:28:22.373158196Z   File "/usr/local/lib/python2.7/site-packages/sentry/auth/helper.py", line 630, in current_step
web_1        | 2020-06-03T18:28:22.373160308Z     helper=self,
web_1        | 2020-06-03T18:28:22.373162221Z   File "/usr/local/lib/python2.7/site-packages/sentry/auth/providers/saml2.py", line 84, in dispatch
web_1        | 2020-06-03T18:28:22.373164317Z     auth = build_auth(request, saml_config)
web_1        | 2020-06-03T18:28:22.373166260Z   File "/usr/local/lib/python2.7/site-packages/sentry/auth/providers/saml2.py", line 393, in build_auth
web_1        | 2020-06-03T18:28:22.373168402Z     return OneLogin_Saml2_Auth(saml_request, saml_config)
web_1        | 2020-06-03T18:28:22.373179225Z   File "/usr/local/lib/python2.7/site-packages/onelogin/saml2/auth.py", line 54, in __init__
web_1        | 2020-06-03T18:28:22.373181548Z     self.__settings = OneLogin_Saml2_Settings(old_settings, custom_base_path)
web_1        | 2020-06-03T18:28:22.373183603Z   File "/usr/local/lib/python2.7/site-packages/onelogin/saml2/settings.py", line 114, in __init__
web_1        | 2020-06-03T18:28:22.373185700Z     ','.join(self.__errors)
web_1        | 2020-06-03T18:28:22.373187672Z OneLogin_Saml2_Error: Invalid dict settings: sp_acs_url_invalid,sp_sls_url_invalid
web_1        | 2020-06-03T18:28:22.373189786Z 18:28:22 [ERROR] django.request: Internal Server Error: /organizations/sentry/auth/configure/ (status_code=500 request=<WSGIRequest: POST u'/organizations/sentry/auth/configure/'>)
web_1        | 2020-06-03T18:28:22.439113710Z 142.58.229.253 - - [03/Jun/2020:18:28:22 +0000] "POST /organizations/sentry/auth/configure/ HTTP/1.1" 500 6669 "https://sentry.its.sfu.ca/organizations/sentry/auth/configure/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:77.0) Gecko/20100101 Firefox/77.0"

grahamb · June 3, 2020, 9:10pm

OK, figured this out: I was logged in as the superuser (sentry@sfu.ca) when setting up SAML2. Even though I logged in as myself (grahamb) when logging into the IdP when configuring SSO, it was associating that login with the superuser account. If I log into the IdP with another user after SSO is set up, it provisions a user with the proper email address.

This seems like a bug to me; at the very least, it should be documented.

Topic		Replies	Views
SAML 2 Authentication Not working on Sentry On-Premise installation On-Premise	0	1198	December 14, 2017
On-Prem 9.1.1, no way to get SSO (SAML2) working On-Premise	2	2212	April 6, 2020
On using password-based authentication alongside SAML2 On-Premise	3	1218	March 18, 2020
Saml provider not available On-Premise	1	2317	July 5, 2018
SAML2 with ADFS (Active Directory) On-Premise	1	1201	May 22, 2020

SAML2 authentication - Just in Time Provisioning not working

Related topics