self-hosted
self-hosted copied to clipboard
getsentry
SSO with multiple domains
Important Details
How are you running Sentry?
[ x] On-Premise docker [Version 10.0.0.dev0]
Description
I want to configure Google Auth with multiple domains whitelisted. At the moment only the default domain is allowed to configure, but I need a second one (not sure where it gets the first one though, configured external dns?)
Steps to Reproduce
- configure
sentry/sentry.conf.py
SENTRY_OPTIONS['auth-google.client-id'] = 'ID'
SENTRY_OPTIONS['auth-google.client-secret'] = 'SECRET'
SENTRY_OPTIONS['auth-google.domains'] = [ 'domain1.org', 'domain2.org']
- rebuild & rerun
docker-compose build
docker-compose run --rm web upgrade
docker-compose up -d
What you expected to happen
I expected to be able to login with SSO from both domains.
Is that the right approach?
Many thanks, bert
Any updates? Is there any official documentation available on how to add multi-domains to SSO auth in on-premise installations?
Edit: added detail about on-prem
Hi is there any updates on this? Many developers at the firm are not able to log in because of this. Hope assistance can be provided. Thanks
Currently nobody is working on this. If anyone is willing to take a stab, I'd be happy to assist them.
/cc @EvanPurkhiser
Hi! Could you share the status of this ticket?
As I understand multiple domains supported by google provider https://github.com/getsentry/sentry-auth-google/pull/13
@azhurbilo this issue is "oh hold" which means we'd like to get this done some time but it is not a priority. And pull requests are welcome if anyone wants to take a stab at it.
Turns out this code is the one that is being used for Google Auth so I'll dig if this is just exposing the functionality via settings. Thanks for bringing it up.
This issue has gone three weeks without activity. In another week, I will close it.
But! If you comment or otherwise update it, I will reset the clock, and if you label it Status: Accepted, I will leave it alone ... forever!
"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@dcramer Following up on https://github.com/getsentry/sentry-auth-google/pull/13/files
How does one configure domain or domains in sentry?
@jawabuu this issue was closed due to staleness so I don't think this is possible yet. @leedongwei, is this something you'd consider as part of the current auth work?
@BYK understood.
Just wanted to confirm this.
Considering you already have DOMAIN_BLOCKLIST it should be easy in my opinion to have something like DOMAIN_ALLOWLIST
I have implemented this approach in sentry-auth/oidc at
https://github.com/jawabuu/sentry-auth-oidc/commit/a3c4586446d2f80e4a7d8e7474845c720b85cb78
Reason for using the plugin is I'm using Gitlab as the auth provider.
I dont think we exposed a way to configure it via the CLI, but you can update the database row to store domains vs domain
@dcramer Does this solve the issue of passing the domain or domains to be checked against when logging in?
How would one set this in for example sentry.conf.py
You cannot configure these kinds of things via the python config. They're all at the database level and configured per-organization (which in self-hosted is usually a single org).
@dcramer Noted. If I understand correctly, is the domain is populated from the org created in sentry? Is it a requirement then that the org name be a domain?
No - the domain is not at all related to the name of the org. When you attach an SSO account it is linked to your Google domain. We then retain that coupling. If you wish to support multiple Google-backed domains the only way currently is to change the config value in the db row to go from domain => sentry.io to domains => ['sentry.io', 'getsentry.com']
@dcramer Thanks for clarifying. This is very helpful. I'm guessing this happens when one is configuring SSO on the auth tab?
Has this feature died or was it already implemented?
Adding auth-google.domains doesn't work. Neither does OIDC_DOMAIN_ALLOWLIST into the ENV.
Hey @lahdekorpi you will need to install a fork to make use of the functionality
@jawabuu Were you able to get this working? If so, do you mind sharing what your workflow is?
Hey @hubertdeng123
This is(was) my dockerfile
FROM getsentry/sentry:21.8.0
RUN python -m pip install https://github.com/jawabuu/sentry-auth-oidc/archive/d2d1b5461e79444208a3faee7ac365bf2c6d76f3.tar.gz
It looks like this can be only changed from the database now.
docker exec -u postgres -it sentry-self-hosted-postgres-1 psql
postgres=# select * from sentry_authprovider;
id | provider | config | date_added | sync_time | last_sync | default_role | default_global_access | flags | organization_id
----+----------+------------------------------------------+-------------------------------+-----------+-----------+--------------+-----------------------+-------+-----------------
1 | google | {"domains":["example.com"],"version":"1"} | 2024-03-13 15:11:45.266913+00 | | | 50 | t | 0 | 1
(1 row)
postgres=# update sentry_authprovider set config = '{"domains":["example.com", "example.net"],"version":"1"}' where id =1;
UPDATE 1
