SSO Preview Phase

[dcramer]

The basics for the SSO framework have landed in master, and now we need to expand on a few things.

Specifically, we need to target the tighter security controls around membership.

• Your membership will be considered inactive if you do not have an SSO-linked identity
• Verification should be reset when the auth provider is removed
• Inviting a team member should force them through the SSO login flow
• The ability to send a existing member a "link your account" email
• Loading indicator for 'resend invite' link
• The ability to send all members who have no SSO identity a "link your account email"
• Visual changes to membership list to suggest which accounts are unlinked and thus inactive
• Google should have a clear path to "I authenticated with the wrong domain, I need to fix it"
• Unlinking your provider currently wipes all identities. This isn't ideal, but without adjusting AuthIdentity to have some additional configuration there's not much we can do. Either way, we should at least inform the user this will happen.
• The ability to upload an icon for your organization which will be used on the SSO page
• SSO sessions need a strict expiration, and identities themselves should contain the last time they were verified
• Google should request offline access and periodically verify based on the provider sync time
• Organization owners (at least by default) should be able to bypass the sso:linked check
• Members who have not linked SSO should have an alert somewhere in the app that allows them to quickly do so (since they no longer have org access)
• Link emails should have a rich HTML template
• Organization members which have been invalidated should be moved to an inactive state (something that is visually different than the 'sso is not linked', though they should still share that flag).
• OAuth / Google needs to implement refresh tokens, and correctly account for these in the offline validation
• If you are unable to authenticate (i.e. you dont have an @domain.com account on Google), we should not continually loop you through the org SSO page.
• When you are already logged in, the "login to Organization" page should allow you to create a new account or link with your existing account
• You should be able to merge accounts (somehow)

There are also next to no tests so it's a painful manual QA process atm. We should fix this by building a dummy SSO provider in the test suite (i.e. something that just redirects back) and create an integration test suite out of it.

[dcramer]

Also if you're using hosted Sentry, use Google Apps, and are interested in participating in the preview phase of this, please let us know either here or hit us up via hello@.

If you're using self-hosted, and are interested in the enterprise offering (which will include a number of SSO providers), we're also happy to get you into the preview phase.

[dcramer]

bb5b6b0 adds support for the first half (though emails aren't finished yet)

[dcramer]

7cb7c6e ensures sso:valid is reset

[dcramer]

d8e9218 adds invite emails

[dcramer]

65264ee automatically sends link emails when sso is setup

68b0d6a adds a button on auth configuration to send reminder emails to pending links

[ckj]

91444f1 adds loading indicator to send invite link

[dcramer]

3bf362d adds default membership controls on the backend

[dcramer]

b48276b blocks all API access to unlinked members (this might cause issues)

[dcramer]

0c27304 implements the start of "you need to link your account"

It refactors the base views to redirect members who are logged in but missing SSO link to the appropriate page. It also means that the user can still view the organization, but we're relying on the other views/code to enforce permissions rather than the queryset helpers.

[dcramer]

offline sync was landed, as well as various session validation code.

Right now offline sync tries hourly, and session expiration is every 24 hours

[ChadKillingsworth]

I'm working on deploying a hosted copy of sentry. I've got LDAP integration working, but It appears the SSO integration may be preferable long term. I'm willing to do the work to make LDAP function as an SSO provider for an organization.

[dcramer]

@ChadKillingsworth i would stick with that for now. We're not done with core-SSO support, and the LDAP offering will actually be only for our enterprise product only (it's not being open sourced). It absolutely will be better than the django-ldap stuff, but it won't stop what you have from working.

[twelvelabs]

I recently turned on Google Apps auth for my organization. When members have followed the 'link your account' instructions sent via email, they saw this warning on the google side when authenticating:

It suggests that Sentry is using a depreciated auth API which is going away soon.

[dcramer]

@twelvelabs SSO is unreleased to the general public at this time. The feature you're looking at it will likely be completely removed as it doesn't provide much value.

[dcramer]

@twelvelabs I assume @dz relayed our conversation. We're going to kill that feature that you mistakenly hit very soon. It's our legacy "login with a random account" system.

[twelvelabs]

@dcramer yeah, but unfortunately now we're all getting locked out of Sentry now. When I turned on Google Apps login, I and a number of people were listed as having our accounts connected and were able to login. Now we're all getting an auth modal w/ an error message: You need to link your account with the SSO provider to continue.

Clicking 'Login with Google' returns us back to Sentry w/ a 500 error. The error id for me was 8b6387ba863c457693bfb91f6191bc57.

[dcramer]

Fixed a few things in:

• General error with existing account links (becoming invalid): 1d0dbc4 1dd823a
• Improved messaging/behavior around existing links (UX): 968e658
• Correct an issue with identity refresh: 64d79c7
• Correct logging so we know when refresh issues are happening: 8134151

[dcramer]

52569f0 adds the backend feature to support SSO-optional access

[dcramer]

a6121ce adds UI to toggle SSO requirement

[dcramer]

Closing this out as SSO is mostly done