With newer versions of on-premise Sentry (I am using Sentry 20.10.1), the LDAP authentication does not seem to work any more. The code still compiles but the LDAP login UI does not show up. Fortunately, newer versions of Sentry provide built-in support for SAML2 authentication, so we can use that instead. We can do this because our LDAP service is connected with an identity provider, in our case, a Keycloak server.
It took a bit of fiddlings in the UI of these two applications to set things up correctly. Here's how.
The first step is to register Sentry with IdP, i.e. the Keycloak server. I am using Keycloak 3.4.3.Final community.
- Create a client
Click "Clients" > "Create".
For the required "Client ID" field, just type something like
https://sentry.example.com/saml/metadata/example/, assuming the sentry server is at
sentry.example.com, and the organization slug in sentry is
saml for "Client Protocol".
Configure the client
"Sign Assertions" =>
- "Encrypt Assertions" =>
- "Client Signature Required" =>
- "Force POST Binding" =>
- "Force Name ID Format" =>
- "Name ID Format" =>
- "Valid Redirect URIs" =>
- "Assertion Consumer Service POST Binding URL" =>
- "Logout Service POST Binding URL" =>
Leave the rest as they are.
- Configure Mappers
Click "Delete" on the default "role list", and confirm, as we will use a builtin mapper.
Click "Add Builtin", check "X500 email", and click "Add selected".
Click "X500 Email", and change "SAML Attribute Name" to
user_email, as that's what Sentry expects. Click Save.
We are done with Keycloak setup, now let's setup Sentry side.
The instruction on registering IdP with Sentry is pretty good.
The first method of "Using Metadata URL" works with Keycloak.
For "Meta URL", use
https://idp.example.com/auth/realms/example.com/protocol/saml/descriptor, assuming the keycloak server is on
idp.example.com, and the realm name in there is
For Attribute Mappings, use
user_email for both "IdP User ID" and "User Email" required fields.
If everything setup correctly, after you are directed to your keycloak server to login, you should be directed back to Sentry with two green notifications on top, success!