OpenID Connect authentication provider for Sentry (Shibboleth)
Project description
OIDC Auth for Sentry (Shibboleth)
An SSO provider for Sentry which enables OpenID Connect Apps authentication for Shibboleth. This is a fork of siemens/sentry-auth-oidc, which was also forked from getsentry/sentry-auth-google.
Why fork, instead of adapting siemens/sentry-auth-oidc
or getsentry/sentry-auth-google
to work with every OIDC?
The maintainers have different ideas. See:
- https://github.com/getsentry/sentry-auth-google/pull/29
- https://github.com/getsentry/sentry/issues/5650
- Also the fork of
siemens/sentry-auth-oidc
doesn't work very well with Shibboleth- The scope
openid
is always returned for unauthorized users, which aren't in the given example entitlementsentry-users
. - For that reason the request after authorization is redirected to sentry instead of directly showing an 403 error page on the identity provider side.
- The scope
Install
pip install sentry-auth-oidc-shib
Setup steps for usage with Shibboleth
Shibboleth
- Configure
metadata/oidc-client.json
{ "scope": "openid profile email", "redirect_uris": [ "https://sentry.example.com/auth/sso/" ], "sector_identifier_uri": "https://sentry.example.com", "client_id": "<client-id>", "subject_type": "pairwise", "client_secret": "<client-secret>", "response_types": [ "code" ], "grant_types": [ "authorization_code" ] }
- Configure
conf/intercept/context-check-intercept-config.xml
# Content of <bean id="shibboleth.context-check.Condition" parent="shibboleth.Conditions.AND"> <constructor-arg> <list> <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate" p:useUnfilteredAttributes="true"> <property name="attributeValueMap"> <map> <entry key="oidcPermissions"> <list> <value>true</value> </list> </entry> </map> </property> </bean> </list> </constructor-arg> </bean>
- Configure
conf/attribute-resolver.xml
<AttributeDefinition xsi:type="ScriptedAttribute" id="oidcPermissions" dependencyOnly="false"> <InputDataConnector ref="myLDAP" attributeNames="eduPersonEntitlement"/> <Script><![CDATA[ logger = Java.type("org.slf4j.LoggerFactory").getLogger("edu.internet2.middleware.shibboleth.resolver.Script.eduPersonPrincipalNameSource"); // Get attribute to add peerEntityId = profileContext.getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext").getRelyingPartyId(); if (peerEntityId.equals("sentry.example.com") && eduPersonEntitlement.getValues().contains("urn:mace:example.com:permission:shibboleth:sentry-users")){ logger.info("User can successfully login to " + peerEntityId); oidcPermissions.getValues().add("true"); } ]]> </Script> </AttributeDefinition>
- Configure
conf/relying-party.xml
<bean parent="RelyingPartyByName" c:relyingPartyIds="sentry.example.com"> <property name="profileConfigurations"> <list> <bean parent="OIDC.SSO" p:postAuthenticationFlows="#{ {'context-check'} }"/> <ref bean="OIDC.UserInfo" /> </list> </property> </bean>
Sentry
- Configure
sentry/sentry.conf.py
OIDC_CLIENT_ID = "<client-id>" OIDC_CLIENT_SECRET = "<client-secret>" OIDC_SCOPE = "openid profile email" OIDC_DOMAIN = "https://shibboleth.example.com"
- Configure
sentry/enhance-image.sh
pip install sentry-auth-oidc-shib
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Close
Hashes for sentry_auth_oidc_shib-2.0.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | c99a09728488f3cad82864bf33a59ec288ef7deef8dbc409cfe5faf2600dc29a |
|
MD5 | a1c5b1b5a80d388b7a886170226d5bdb |
|
BLAKE2b-256 | 02b18c2f6c5bf8371db30ac10209c7568f21d8c1939adee5a6f7871acea17e8c |
Close
Hashes for sentry_auth_oidc_shib-2.0.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | cff1ddaa826425716eaa4333a356bb0b4f7c093817450d42e1e7f73f5acc9d82 |
|
MD5 | 90d2c68ebcac23f5b2d352f67db029ac |
|
BLAKE2b-256 | 02439999e96c643155e8025c5c7804aca77b4f4b9c4e09d9981a269f544a6c71 |