Single Sign-On (SSO)¶
Single Sign-On (or SSO) allows you to manage your organization’s entire membership via a third party provider.
Before you get around to actually turning on SSO, you’ll want to keep in mind that once it’s activated, all existing users will need to link their account before they are able to continue using Sentry. Because of that we recommend coordinating with your team during off-peak hours. That said, it’s super quick to link accounts, so we don’t consider it a true hurdle.
SSO is not available on certain grandfathered plans.
With that out of the way, head on over to your organization home. You’ll see an “Auth” link in the sidebar. Start by hitting that, and then continue to the “Configure” link next to provider you wish to configure.
Additionally we’ll automatically send each pre-existing member an email with instructions on linking their account. This will happen automatically once SSO is successfully configured. Even if they dont click the link, the next time they try to hit any page within the organization we’ll require them to link their account (with the same auth flow you just went through).
Every member who creates a new account via SSO will be given global organization access with a member role. This means that they can access events from any team, but they won’t be able to create new projects or administer current ones.
Our SSO implementation prioritizes security. We aggressively monitor linked accounts and will disable them within any reasonable sign that the account’s access may have been revoked. Generally this will be transparent to you, but if the provider is functioning in an unexpected way you may experience more frequent re-authorization requests.
Google Business App¶
Enabling the Google integration will ask you to authenticate against a Google
Apps account. Once done, membership will be restricted to only members of the
given Apps domain (i.e.
The GitHub integration will authenticate against all organizations, and once complete prompt you for the organization which you wish to restrict access by.
Currently GitHub Enterprise is not supported. If your company needs support for GE, let us know.
SAML2 Identity Provider¶
Sentry provides SAML2 based authentication which may be configured manually using the generic SAML2 provider, or a specific provider which provides defaults specific to that identity provider.
Sentry supports the following SAML services:
- Identity and Service Provider initiated SSO
- Identity Provider initiated SLO (Single Logout)
Sentry’s Assertion Consumer Service uses the HTTP-POST bindings.
Sentry’s SAML endpints are as follows, where the
substituted for your organization slug:
SAML2 SSO requires an Enterprise Plan.
In your OneLogin dashboard locate the Sentry app in the app catalog and add it to your organization.
As part of OneLogin SSO configuration, you must to provide the OneLogin identity provider issuer URL to Sentry. This URL is specific to your OneLogin account and can be found under the ‘SSO’ tab on the Sentry OneLogin application configuration page.
You may refer to the OneLogin documentation for more detailed setup instructions.
In your Okta admin dashboard locate the Sentry app in the Okta Application Network and add it to your organization.
As part of the Okta SSO configuration, you must provide the Okta Identity Provider metadata to Sentry. This URL can be located under the Sign-On Methods SAML2 settings panel, look for the ‘Identity Provider metadata’ link which can may right click and copy link address.
You may refer to the Okta documentation for more detailed setup instructions.
In your Auth0 dashboard locate the Sentry app under the SSO Integrations page and add it to your organization.
As part of the Auth0 SSO configuration, you must provide the Auth0 Identity Provider metadata to Sentry. This URL is available under the Tutorial tab of the Sentry SSO integration.
In your Rippling admin dashboard locate the Sentry app in the list of suggested apps and select it.
When prompted with the Rippling Metadata URL, copy this into the Sentry Rippling provider configuration. You will have to complete the Rippling application configuration before completing the sentry provider configuration.