Azure Active Directory SSO

Installation

  1. Log in to the Azure portal.

  2. Under "Manage Azure Active Directory" (the picture of the shield), click "View". This takes you to the Organization Overview page.

  3. If you don't require a permission group for Sentry, skip to Step 5.

  4. In the search bar, search for "Groups" then navigate to it. From there, create a new group, add an owner and members to the group. Set "Group type" to Office 365. For more details about group creation, see the Azure docs.

  5. Return to the Overview page. In the search bar, enter Enterprise Applications and navigate to it. Click "+ New application". Search for Sentry to create the application for Sentry.

    Sentry in Azure Gallery

  6. Once the application is created, you'll be directed to Sentry - Overview.

    Sentry Overview

  7. Click on "1. Assign users and groups", then "+ Add user". Add yourself and the group you've created to the Sentry app. Click "Assign".

  8. Navigate back to Overview, click on "2. Set up single sign-on" and then select SAML as your single sign-on method.

  9. For Section (1), labeled "Basic SAML Configuration", enter the following data in each line and save your changes.

    • Identifier (Entity ID): https://sentry.io/saml/metadata/YOUR_ORG_SLUG/

    • Reply URL (Assertion Consumer Service URL): https://sentry.io/saml/acs/YOUR_ORG_SLUG/

    • Sign on URL: https://sentry.io/auth/login/YOUR_ORG_SLUG/

    • Relay State: https://sentry.io/YOUR_ORG_SLUG/

    • Logout URL: https://sentry.io/saml/sls/YOUR_ORG_SLUG/

    SAML Configuration

  10. In Section (3), labeled "SAML Signing Certificate", copy the "App Federation Metadata URL".

    SAML Signing Certificate

  11. Navigate to your Org Settings > Auth (or go to https://sentry.io/settings/YOUR_ORG_SLUG/auth/) and click on "Configure" for Active Directory.

  12. Paste the App Federation Metadata URL from above and click "Get Metadata".

  13. In the next page, enter the following keys in their respective fields to map the attributes from AzureAD to Sentry, and then save them.

    • IdP User ID: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

    • User Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

    • First Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

    • Last Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

      For more details about mappings for custom configs, see The Role of Claims.

    Map Identity with provider attributes

  14. Sentry will attempt to authenticate and link your account with Azure. After successful authentication, you'll be redirected to Sentry's SSO configuration page, where you can take the following actions:

    • You can share the "Login URL" value, which will be used for SP-initiated SSO, with the users in your organization.

    • Scroll down to the bottom and ensure that "Require SSO" is checked if you want to enforce logging in with Okta.

    • Set a "Default Role" for new SSO users. Selecting "Member" should cover most use-cases.

    • If you made changes, click "Save Settings" to complete your setup.

You can edit this page on GitHub.