Skip to main content
Single Sign-On (SSO) lets your team authenticate to Sentry using your existing identity provider instead of managing separate passwords. SCIM extends SSO by automatically provisioning and deprovisioning members in Sentry when you add or remove them in your IdP.
SSO requires the Business plan or higher. SAML2-based SSO (required for SCIM) is included in the Business plan. GitHub and Google OAuth providers are available on lower tiers.

Supported identity providers

Okta

Full SAML2 and SCIM support

Azure AD / Microsoft Entra

Full SAML2 and SCIM support

Auth0

SAML2 support

OneLogin

SAML2 support

Google Workspace

OAuth2 support

GitHub

OAuth2 support

Setting up SSO

1

Open Auth settings

Go to Settings > Auth. You’ll see a list of available authentication providers.
2

Choose your provider

Click Configure next to your identity provider. If you’re using SAML2, Sentry will display the metadata values you need to configure on your IdP side:
  • Entity ID (also called Issuer or Audience URI)
  • ACS URL (Assertion Consumer Service URL)
  • Single Logout URL
Copy these values into your IdP’s SAML application configuration.
3

Enter your IdP metadata

After configuring your IdP app, copy the following values from your IdP and enter them in Sentry:
  • Metadata URL or IdP Entity ID
  • SSO URL (your IdP’s sign-in endpoint)
  • x.509 Certificate
4

Test the connection

Click Save and then use the Test Configuration button to verify the SAML handshake works before enforcing SSO for your team.
5

Enable SSO enforcement (optional)

Turn on Require SSO to disable password-based login for all organization members. Once enabled, members must authenticate through your IdP to access Sentry. Existing sessions will be invalidated.
Make sure SSO is working correctly before enabling enforcement. If your IdP goes down while enforcement is on, members won’t be able to log in. Keep at least one owner account with a working fallback.

SSO enforcement behavior

When Require SSO is enabled:
  • New members can only join via your IdP or by invitation from an existing owner.
  • Members who try to log in with a password are redirected to the SSO login flow.
  • Members who are removed from your IdP lose access to Sentry on their next session expiry (or immediately if you use SCIM to deprovision them).

Setting up SCIM

SCIM (System for Cross-domain Identity Management) uses a standardized API to let your IdP automatically create, update, and deactivate Sentry organization members.
SCIM requires SAML2 SSO to already be configured and active.
1

Enable SCIM

Go to Settings > Auth and click Enable SCIM under your configured SAML2 provider.
2

Copy the SCIM token and base URL

Sentry generates a SCIM Bearer token and displays the base URL for your SCIM endpoints. Copy both values — you’ll need them to configure your IdP.
FieldValue
SCIM Base URLhttps://sentry.io/api/0/organizations/{org-slug}/scim/v2/
Bearer TokenGenerated on this page
3

Configure SCIM in your IdP

In your IdP’s SCIM configuration, enter:
  • The SCIM base URL from the previous step
  • The Bearer token as the API authentication token
  • Set Authentication Mode to HTTP Header
Your IdP will start syncing users and groups using the endpoints listed below.

SCIM endpoints

ResourceEndpoint
List / create membersGET /POST /api/0/organizations/{org}/scim/v2/Users
Get / update / delete a memberGET /PATCH /DELETE /api/0/organizations/{org}/scim/v2/Users/{id}
List / create teamsGET /POST /api/0/organizations/{org}/scim/v2/Groups
Get / update / delete a teamGET /PATCH /DELETE /api/0/organizations/{org}/scim/v2/Groups/{id}
List supported schemasGET /api/0/organizations/{org}/scim/v2/Schemas

SCIM behavior

  • Provisioning — When you assign a user to your Sentry SCIM app in your IdP, Sentry sends them an invitation email. The member is not active until they accept the invitation.
  • Deprovisioning — When you unassign or deactivate a user in your IdP, Sentry immediately deactivates their membership in your organization.
  • Groups — SCIM group sync maps IdP groups to Sentry teams. Creating a group in your IdP creates a corresponding team in Sentry.
Rotate your SCIM token periodically. You can generate a new one from Settings > Auth without disrupting SSO — update the new token in your IdP before revoking the old one.