Keycloak SAML - There is no AttributeStatement on the Response

[sgohl]

Self-Hosted Version

24.6.0.dev0

CPU Architecture

x86_64

Docker Version

24.0.5

Docker Compose Version

2.16.0

Steps to Reproduce

Precondition:

• fresh sentry installation from master branch - only superuser created by install.sh - organization name "sentry" - everything is factory defaults
• fresh keycloak installation (24.0.4) - with ldap/ad federation

I followed the instructions from here: https://yyhh.org/blog/2020/10/how-to-setup-saml2-authentication-on-sentry-with-keycloak/

With the difference that keycloak metadata url now is without the auth before realms in uri.

I tried also with Name ID format "username" and "email" – no difference. (because #2743 (comment))

I tried ACS/SLS uris both with and without organization name at the end of uri – no difference. (because #1344 (comment))

For mappers, I have set them in the default created dedicated scope for the client in tab "Client scopes" (this was reorganized in new keycloak version). (I also tried creating a new scope and add this mapper, and then add the scope (type default) to the client – no difference)
I deleted the roles_list mapping and only added predefined "x500 email" with SAML Attribute Name changed to user_email

Other steps:

• Client signature required (tab "Keys") -> OFF
• Sign documents/assertions -> OFF
• Valid redirect/post-logout URIs -> *

Keycloak and Sentry running via docker on same host, but communication via https over central SSL terminated reverse proxy (HAProxy) using real LetsEncrypt cert.

• Client ID: https://sentry.mydomain.dev/saml/metadata/sentry/
• Metadata URL: https://keycloak.mydomain.dev/realms/master/protocol/saml/descriptor
• Metadata XML: https://gist.github.com/sgohl/bff1754e3cdaea599dd3b9ea751c2a2e
• Keycloak Client configuration: https://gist.github.com/sgohl/b0c8ee0a1b0ba84a62a11e6a84912ca0

Both IdP User ID and User Email: user_email
Both First Name and Last Name empty for now (elimination testing).

Click "Save Attributes" -> redirect to Keycloak/https works -> Login as admin -> Redirect back to Sentry/https -> Error:

I used a SAML tracer browser plugin, and indeed, the AttributeStatement is missing in the saml reposonse: https://gist.github.com/sgohl/9f6504746b43c518be4f54d7889ae6fd

I'm stuck debugging. There are no logs in keycloak (level DEBUG) or sentry-web. It seems, keycloak just omits this statement because it has no reason to include it which is no error per se.
So I think, something is missing in keycloak configuration, but I can't figure what.

I've found and read these issues:

• Sentry SSO via SAML Keycloak does not work #2743
• Sentry SSO via SAML Keycloak does not work #1571
• Setup Sentry SSO via SAML Keycloak does not work properly #1344
• Sentry SAML2 auth with Keycloak sentry#71115

and applied any conclusion I found, but for me, nothing worked.

I understand, this is most likely not a sentry issue itself but rather a keycloak configuration, but since the keycloak configuration highly depends on what sentry expects, I feel it belongs to here.

Highly appreciate any help!
Perhaps someone could share their anonymized keycloak client configuration and share how a correct saml response with the AttributeStatement looks like!

Expected Result

AttributeStatement on the Response not missing - as expected

Actual Result

Authentication error: SAML SSO fehlgeschlagen, There is no AttributeStatement on the Response

Event ID

No response

[azaslavsky]

Are you seeing any errors in your sentry-web-1 server logs when you try to do this?

This does seem to be some unique keyclock + sentry combination error, hard to speculate what might be causing it though. We have a specific way of doing it on prod that unfortunately doesn't overlap much with the self-hosted flow.

[madalinignisca]

Create in Client Scopes a new entry, name it Sentry for example, or how you wish if you will reuse it.

Create mapper with x500 email, firstname and lastname. Another custom mapper will be for username.

Make sure to make all attributes very simple:

Now make sure the Sentry client will use the Client Scope.

This means that Keycloak will return in the response the attributes expected by Sentry, which you must match on the sentry configuration form.

This happens on recent Sentry with lastest 24.x of Keycloak. I spent like 4-5h trying all combination possible from all github issues and referenced blog posts. None work anymore.

[sgohl]

Hi, thanks for your response!

So you made it working?

I removed the mappers from the dedicated builtin scope and created a new client scope "sentry" (and added to the client as type Default) with mappers for email and username (I didn't know that username needs a mapper, too?), and tried with NameFormat as Basic as well as with default urn. Same with firstName and lastName. None worked.

I tried with naming the email/user attribute email and user_email but both diodn't work (is the name relevant?)

Again tried client/NameFormat as "username" and "email".

@madalinignisca
Could you possibly share the relevant parts of your client configuration (via keycloak export from the Action dropdown) via gist for a day or two so I could compare to mine?

@azaslavsky

there's only one none-200 log in sentry-web:

sentry-self-hosted-web-1  | 08:19:27 [INFO] sentry.access.api: api.access (method='GET' view='sentry.api.endpoints.organization_auth_provider_details.OrganizationAuthProviderDetailsEndpoint' response=204 user_id='1' is_app='False' token_type='None' is_frontend_request='True' organization_id='1' auth_id='None' path='/api/0/organizations/sentry/auth-provider/' caller_ip='10.242.2.92' user_agent='Mozilla/5.0 (X11; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0' rate_limited='False' rate_limit_category='None' request_duration_seconds=0.041001319885253906 rate_limit_type='DNE' concurrent_limit='None' concurrent_requests='None' reset_time='None' group='None' limit='None' remaining='None')

but I doubt that it's in any way helpful to understand what the problem is, and I'm not even sure it's the corresponding request to the error

[azaslavsky]

It is very surprising that you are getting errors in the UI, but nothing in the web logs. If you open your chrome devtools when you see that error (from the original post), are there any notable 4xx or 5xx codes?

[sgohl]

no 4xx or 5xx requests in network inspector, no adblocker, no relevant bad logs in browser console, neither firefox nor chrome

as far as I see, there is a first POST request to sentry which responds with 302 to keycloak, which responds with 200. Although this is a Authentication Redirect, it automatically redirects and uses my keycloak-admin login to automatically proceed and redirect back to sentry

Finally a 204 No Content Response from sentry

[madalinignisca]

@sgohl export.json

{
  "clientId": "https://[sentry_host_name]/saml/metadata/[sentry_org]/",
  "name": "",
  "description": "",
  "rootUrl": "",
  "adminUrl": "",
  "baseUrl": "",
  "surrogateAuthRequired": false,
  "enabled": true,
  "alwaysDisplayInConsole": false,
  "clientAuthenticatorType": "client-secret",
  "redirectUris": [
    "https://[sentry_host_name]/*"
  ],
  "webOrigins": [],
  "notBefore": 0,
  "bearerOnly": false,
  "consentRequired": false,
  "standardFlowEnabled": true,
  "implicitFlowEnabled": false,
  "directAccessGrantsEnabled": true,
  "serviceAccountsEnabled": false,
  "publicClient": true,
  "frontchannelLogout": false,
  "protocol": "saml",
  "attributes": {
    "saml.assertion.signature": "false",
    "saml.force.post.binding": "true",
    "saml_single_logout_service_url_post": "https://[sentry_host_name]/saml/sls/",
    "saml.encrypt": "false",
    "saml_assertion_consumer_url_post": "https://[sentry_host_name]/saml/acs/",
    "saml.server.signature": "true",
    "saml.server.signature.keyinfo.ext": "false",
    "saml.signing.certificate": "[certificate]",
    "saml.artifact.binding.identifier": "[some-uuid]",
    "saml.artifact.binding": "false",
    "saml.signature.algorithm": "RSA_SHA256",
    "saml_force_name_id_format": "false",
    "saml.client.signature": "false",
    "saml.authnstatement": "true",
    "display.on.consent.screen": "false",
    "saml_name_id_format": "username",
    "saml.signing.private.key": "[key]",
    "saml.allow.ecp.flow": "false",
    "saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#",
    "saml.onetimeuse.condition": "false",
    "saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer": "NONE"
  },
  "authenticationFlowBindingOverrides": {},
  "fullScopeAllowed": true,
  "nodeReRegistrationTimeout": -1,
  "defaultClientScopes": [
    "Sentry"
  ],
  "optionalClientScopes": [],
  "access": {
    "view": true,
    "configure": true,
    "manage": true
  }
}

[madalinignisca]

@sgohl make sure you have the mappers right and used in the client!

I have this, and in each one, there is the SAML Attribute Name expected by Sentry and matching your configuration.

[madalinignisca]

The problem is not with Sentry. Sentry works fine with custom SAML2 providers.

The problem is lack of information anywhere on the internet how to setup Keycloak for any usecase. There are many tutorials for some popular integrations, but nothing relevant for majority. Probably most companies end with some paid saas solution (AD included), as those are preconfigured for most case scenarios.

Keycloak is a bare bones solution for which who manages is fully responsible to know expectations of CLIENT and setup all required scenarios.

If you are trying Keycloak and you don't have anything else setup in it, maybe a more simple SAML provider alternative would better help, like lemonldap-ng or simplesamlphp, which compared to Keycloak are human level stuff, where Keycloak is enterprise level made to justify time consumed to configure it.