self-hosted icon indicating copy to clipboard operation
self-hosted copied to clipboard
Published 2 weeks ago verified publisher icon getsentry

SAML SSO error with base URL provided through web interface

Open otoriphoenix opened this issue 1 month ago • 4 comments

Self-Hosted Version

25.9.0

CPU Architecture

x86_64

Docker Version

28.4.0

Docker Compose Version

2.36.2

Machine Specification

  • [x] My system meets the minimum system requirements of Sentry

Steps to Reproduce

  1. Set the Sentry Base URL through the web interface at /manage/settings/ instead of in config.yml
  2. Set up a custom SAML2 provider, e.g. Keycloak
  3. Try logging in via SAML2

Expected Result

Successful login.

Actual Result

Sentry fails to perform the login, returning a 500 error status instead. The error message indicates something wrong with the URLs used in creating the auth request:

Traceback (most recent call last):
  File "/.venv/lib/python3.13/site-packages/django/core/handlers/exception.py", line 55, in inner
    response = get_response(request)
  File "/.venv/lib/python3.13/site-packages/django/core/handlers/base.py", line 197, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/.venv/lib/python3.13/site-packages/sentry_sdk/integrations/django/views.py", line 94, in sentry_wrapped_callback
    return callback(request, *args, **kwargs)
  File "/.venv/lib/python3.13/site-packages/django/views/generic/base.py", line 104, in view
    return self.dispatch(request, *args, **kwargs)
           ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/sentry/src/sentry/silo/base.py", line 158, in override
    return original_method(*args, **kwargs)
  File "/.venv/lib/python3.13/site-packages/django/utils/decorators.py", line 48, in _wrapper
    return bound_method(*args, **kwargs)
  File "/.venv/lib/python3.13/site-packages/django/views/decorators/csrf.py", line 65, in _view_wrapper
    return view_func(request, *args, **kwargs)
  File "/usr/src/sentry/src/sentry/web/frontend/base.py", line 417, in dispatch
    return self.handle(request, *args, **kwargs)
           ~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/.venv/lib/python3.13/site-packages/django/utils/decorators.py", line 48, in _wrapper
    return bound_method(*args, **kwargs)
  File "/.venv/lib/python3.13/site-packages/django/views/decorators/cache.py", line 80, in _view_wrapper
    response = view_func(request, *args, **kwargs)
  File "/usr/src/sentry/src/sentry/web/frontend/auth_organization_login.py", line 91, in handle
    response = self.handle_sso(request, organization, auth_provider)
  File "/usr/src/sentry/src/sentry/web/frontend/auth_organization_login.py", line 47, in handle_sso
    return helper.current_step()
           ~~~~~~~~~~~~~~~~~~~^^
  File "/usr/src/sentry/src/sentry/pipeline/base.py", line 189, in current_step
    return step.dispatch(self.request, pipeline=self)
           ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/sentry/src/sentry/auth/providers/saml2/provider.py", line 79, in dispatch
    auth = build_auth(request, saml_config)
  File "/usr/src/sentry/src/sentry/auth/providers/saml2/provider.py", line 445, in build_auth
    auth = OneLogin_Saml2_Auth(saml_request, saml_config)
  File "/.venv/lib/python3.13/site-packages/onelogin/saml2/auth.py", line 57, in __init__
    self._settings = OneLogin_Saml2_Settings(old_settings, custom_base_path)
                     ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/.venv/lib/python3.13/site-packages/onelogin/saml2/settings.py", line 128, in __init__
    raise OneLogin_Saml2_Error(
    ...<3 lines>...
    )
onelogin.saml2.errors.OneLogin_Saml2_Error: Invalid dict settings: sp_acs_url_invalid,sp_sls_url_invalid

Setting the base URL via config.yml resolves the issue - either this is undocumented behavior or unintended. I'm also unclear how reproducible the problem is, given that this was discovered only recently. We have been on 25.9.0 for a while without issues.

Event ID

No response

otoriphoenix avatar Nov 12 '25 18:11 otoriphoenix

Setting the base URL via config.yml resolves the issue - either this is undocumented behavior or unintended.

What was the previous value and what is the new value?

aldy505 avatar Nov 13 '25 05:11 aldy505

We previously didn't set the value in config.yml at all, so it would probably be parsed as None from the file. We instead configured it via the web UI. The new value is the same value as we configured in the web UI originally. The only difference to before is where we set it.

otoriphoenix avatar Nov 13 '25 15:11 otoriphoenix

We just encountered this on our instance (also backed by Keycloak SAML).

sentry-web container was and is running v24.9.0, no changes have been made to the deployment. Keycloak is v26.0.5 and that deployment also hasn't been changed at all.

Adding system.url-prefix: to config.yaml matching what has been configured in the web interface resolves the SAML login issue.

I currently have the base URL fix in place per above, however I can schedule a maintenance window to revert the fix and collect any troubleshooting information that may be useful. Please advise what we can collect to assist in the debugging process.

michaelatinternet avatar Nov 17 '25 09:11 michaelatinternet

I would just put this on the docs. I don't think the right Sentry team can tackle this with all their backlogs.

aldy505 avatar Nov 24 '25 14:11 aldy505