Support Multiple Teams + GitHub Orgs/LDAP/etc

[dcramer]

Here's the draft flow:

• You can bind an entire Sentry install to a GitHub team
• You can bind a Sentry team to a GitHub team
• When a user connects with their GitHub account, they're automatically bound to teams.
• Some kind of sync process would exist, that would say "every N minutes, ping GitHub to ensure team lists are updated". This one needs some more thought.
• Projects would be bound to N teams (instead of one).
• Teams are either internal or external.
• External teams cannot be managed within Sentry (e.g. you cant remove users).

Note: A GitHub team is considered an Organization + Team..

This will also allow us to support doing something similar with LDAP with very minimal effort from end users.

[dcramer]

There are some events around organizations that we might be able to rely on (to some extent):

http://developer.github.com/v3/activity/events/types/#teamaddevent

We should also include some administrative tools to force a sync with GitHub.

[dcramer]

Possibly a setting to say "cache memberships for X", which a minimum value. This would allow you to adjust your comfort level of how long it takes to invalidate a membership once you remove them from an org.

[ashchristopher]

I have a PR in for the first part of your draft.

omab/django-social-auth#556

[Karmak23]

The feature “ adding a project to more than one team ”, taken alone, is a must have for me.

This would allow to have a global team (eg. "sentry internal" by default) where I can receive/see all notifications at once for all the projects, while still beiing able to delegate a subset of projects to my customers or external developers.

Is it acheivable – even with manual tweaking – in the current implementation (I'm on 5.4.5) ?

best regards,

[tobio]

+1 having our sentry install synced with GitHub enterprise would be awesome.

[dcramer]

FYI the work I have done on this is in the access-groups branch. It's not finished, but I havent forgotten about this

[bpbp-boop]

+1 for LDAP support

[koshatul]

LDAP support would be awesome

[hatt]

+1 for auto-binding GitHub teams to Sentry

[prismic]

+1 for LDAP support

[josephmc5]

I got LDAP to connect but like the draft says, there is no default team to assign them to so an admin has to go in and add them to a team after first login. Even having this would be great. If I end up adding this for our use case I'll submit a PR and comment here in case people are interested while the access groups are being worked on.

[ColinHebert]

Any news regarding the LDAP support?

[dcramer]

@ColinHebert we actually just began discussing how we can better support SSO.

Specifically for a day-zero target we're aiming to support OneLogin.com, but the backbone there should provide enough support for any service

[dcramer]

There's a few concerns we need to sort out:

1. How does the team binding work?
   We built this functionality into AccessGroups, but realistically that's over complicated and more designed for "I have a bunch of automated groups, and i want to represent those here". I think we could still use access groups if we wanted to, but we want the SSO flow to be simple.
2. How do you configure SSO?
   In my head, you go into team settings, there's some kind of SSO tab, and you're able to configure a single provider for your team.
3. How do you login?
   If my SSO flow is a provider that requires me to hit a special endpoint to login, how do we make a special "Login to X Team" flow? This is the biggest blocker ATM, as the rest is simply technical.

We're going to make hard requirements that this caters to getsentry.com and not "i just have an install and can use LDAP for every user", which will make this slightly more complex.

I'm actually hoping to implement this soon, but the main concern for me is #3. I think what we could potentially do is have something like a 'https://app.getsentry.com/login/[team-slug]' which is customized per-team, but that's the only thing I've come up with so far.

[dcramer]

Closing this out as we're implementing a modern solution and this is focused on access groups/teams.

[dcramer]

See GH-1372