-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Keycloak SAML - There is no AttributeStatement on the Response #3062
Comments
Are you seeing any errors in your This does seem to be some unique keyclock + sentry combination error, hard to speculate what might be causing it though. We have a specific way of doing it on prod that unfortunately doesn't overlap much with the self-hosted flow. |
Hi, thanks for your response! So you made it working? I removed the mappers from the dedicated builtin scope and created a new client scope "sentry" (and added to the client as type I tried with naming the email/user attribute Again tried client/ @madalinignisca there's only one none-200 log in sentry-web:
but I doubt that it's in any way helpful to understand what the problem is, and I'm not even sure it's the corresponding request to the error |
It is very surprising that you are getting errors in the UI, but nothing in the web logs. If you open your chrome devtools when you see that error (from the original post), are there any notable 4xx or 5xx codes? |
no 4xx or 5xx requests in network inspector, no adblocker, no relevant bad logs in browser console, neither firefox nor chrome as far as I see, there is a first POST request to sentry which responds with 302 to keycloak, which responds with 200. Although this is a Authentication Redirect, it automatically redirects and uses my keycloak-admin login to automatically proceed and redirect back to sentry Finally a 204 No Content Response from sentry |
@sgohl export.json
|
@sgohl make sure you have the mappers right and used in the client! I have this, and in each one, there is the |
The problem is not with Sentry. Sentry works fine with custom SAML2 providers. The problem is lack of information anywhere on the internet how to setup Keycloak for any usecase. There are many tutorials for some popular integrations, but nothing relevant for majority. Probably most companies end with some paid saas solution (AD included), as those are preconfigured for most case scenarios. Keycloak is a bare bones solution for which who manages is fully responsible to know expectations of CLIENT and setup all required scenarios. If you are trying Keycloak and you don't have anything else setup in it, maybe a more simple SAML provider alternative would better help, like |
Self-Hosted Version
24.6.0.dev0
CPU Architecture
x86_64
Docker Version
24.0.5
Docker Compose Version
2.16.0
Steps to Reproduce
Precondition:
install.sh
- organization name "sentry" - everything is factory defaults24.0.4
) - with ldap/ad federationI followed the instructions from here: https://yyhh.org/blog/2020/10/how-to-setup-saml2-authentication-on-sentry-with-keycloak/
With the difference that keycloak metadata url now is without the
auth
beforerealms
in uri.I tried also with
Name ID format
"username" and "email" – no difference. (because #2743 (comment))I tried ACS/SLS uris both with and without organization name at the end of uri – no difference. (because #1344 (comment))
For mappers, I have set them in the default created dedicated scope for the client in tab "Client scopes" (this was reorganized in new keycloak version). (I also tried creating a new scope and add this mapper, and then add the scope (type default) to the client – no difference)
I deleted the
roles_list
mapping and only added predefined "x500 email" withSAML Attribute Name
changed touser_email
Other steps:
Keycloak and Sentry running via docker on same host, but communication via https over central SSL terminated reverse proxy (HAProxy) using real LetsEncrypt cert.
Both IdP User ID and User Email:
user_email
Both First Name and Last Name empty for now (elimination testing).
Click "Save Attributes" -> redirect to Keycloak/https works -> Login as admin -> Redirect back to Sentry/https -> Error:
I used a SAML tracer browser plugin, and indeed, the AttributeStatement is missing in the saml reposonse: https://gist.github.com/sgohl/9f6504746b43c518be4f54d7889ae6fd
I'm stuck debugging. There are no logs in keycloak (level DEBUG) or sentry-web. It seems, keycloak just omits this statement because it has no reason to include it which is no error per se.
So I think, something is missing in keycloak configuration, but I can't figure what.
I've found and read these issues:
and applied any conclusion I found, but for me, nothing worked.
I understand, this is most likely not a sentry issue itself but rather a keycloak configuration, but since the keycloak configuration highly depends on what sentry expects, I feel it belongs to here.
Highly appreciate any help!
Perhaps someone could share their anonymized keycloak client configuration and share how a correct saml response with the AttributeStatement looks like!
Expected Result
AttributeStatement on the Response not missing - as expected
Actual Result
Authentication error: SAML SSO fehlgeschlagen, There is no AttributeStatement on the Response
Event ID
No response
The text was updated successfully, but these errors were encountered: