1

Issue Summary

Does anyone have SAML setup/configuration success stories with Redash? Specifically, we’d like to tie this into Okta, but the various configs we shoved into both sides never seemed to line up and work - auth failures every time. I don’t have specific messages any more, but I’m pretty sure it was just Failed to parse SAML response (which was the generic message with saml_client.parse_authn_request_response()). Trying to glean some sort of info with a SAML parser in the browser, it seemed like the XML response was showing good stuff, it was just the Redash code not being happy with it (undoubtedly because of a configuration issue).

Anyway, if someone is using this and just knows it works, it would be great to hear. If someone has a config/setup they’re willing to share, even better. All the previous SAML posts have been met with silence or dead links.

Technical details:

  • Redash Version: v5.0.2
  • How did you install Redash: Pre-built docker image
2 Likes
2

I know others managed to use Redash with Okta, so it should be possible.

As callback URL use: {your redash base url}/saml/callback

Some additional settings:

  • Name ID Format: EmailAddress
  • Application Username: Email

And you need to set the following attribute statements:

image
image1340×472 63.9 KB

3

Thanks for that - that looks like what we’d tried, but I’ll have to double-check once I’m in the office. Still, if anyone has a “known good” setup they’d like to share, it would be great to see. If we figure this out, we’ll certainly post here, at least.

4

I was able to successfully connect Redash and Okta this afternoon. I made a three minute video showing how I did it. Overall it was straightforward. Link to video here. I’ll submit a PR to update the documentation as well.

5

The documentation has been updated with instructions for configuring Okta here.

6

Hi @jesse – IT and I sat down watched your video and followed the steps – we setup inside Okta entries for redash and input them into Settings as env vars, and are pretty sure we got the 3 fields right (SAML Metadata URL, SAML Entity ID, SAML NameID Format). But, on attempted SAML Login, we are getting a 405 “Method Not Allowed”. Any hints? We’re stuck at this point after googling around. Have tried the basics (restarted redash, etc).

7

@jesse – bump, could you share any advice on what we can try for this? Thank you!

8

Which server gives you the 405 error? Redash or Okta?

9

Looks like Redash, it looks like. We are self-hosted on the IP and port below. Below is from the Chrome console.

1. Request URL: http://10.14.40.13:5000/
2. Request Method: POST
3. Status Code: 405 METHOD NOT ALLOWED

This POST call is after a GET against our okta request URL.

10

I think the issue is Okta can’t reach your Redash installation. Any 10.xx IP address points back at the local subnet. So when Okta tries to redirect back to Redash the traffic never leaves Okta’s network. You’re Redash instance must be accessible over the internet outside your firewall for Okta (or any SAML provider) to work correctly.

From subsequent posts it appears this is not the case.

1 Like
11

Ohhh. Thank you. That’s super helpful.

12

Problem resolved!

Long story short, the Okta config was wrong; the correct single sign on URL and audience URI should be http://10.14.40.13:5000/saml/callback?org_slug=default <-- once we corrected to this in Okta, SSO worked.

Our history:

  1. We initially configured Okta with URL http://10.14.40.13:5000/ WITHOUT /saml/callback – the https://redash.io/help/user-guide/users/authentication-options docs had it and we omitted it by mistake. This caused the 405 method not allowed error since the root path didn’t support a POST call.
  2. We then added /saml/callback – this caused a 500 Internal Server Error. Consulting the redash server log, we found this line [2020-01-08 17:53:03,781][PID:99][ERROR][saml2.response] http://10.14.40.13:5000/saml/callback not in ['http://10.14.40.13:5000/saml/callback?org_slug=default']. Adding the query param resolved all our problems.

Thanks for attending to us.

2 Likes
13

Anyone successfully configured Self hosted redash with ADFS? Struggling for a while now to get to the exact root cause

14

Thank you. This response helped me configure Okta correctly.

1 Like
15

This worked for me within Okta. Here’s the image of our setup:

Screen Shot 2020-06-09 at 8.04.40 PM
Screen Shot 2020-06-09 at 8.04.40 PM1066×961 79.9 KB

Thank you.

2 Likes
16

Hello @grv231. Did you get Redash working with ADFS/?

17

It took some effort but yeah I was able to setup SSO using AD with redash correctly for on-prem setup

1 Like
18

I recently setup SSO for Redash server. In My Case, I am using Azure AD as IDP. And Redash in a self-hosted environment.

Maybe my solution can help other people.

Changes from Redash UI:

  1. SAML Metadata URL : https://login.microsoftonline.com/823yyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyy/federationmetadata/2007-06/federationmetadata.xml?appid=avbdgh-aaaa-aaaa-aaaa-aaaaaaaa
  2. SAML Entity ID : avbdgh-aaaa-aaaa-aaaa-aaaaaaaa
  3. SAML NameID Format : urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Note: In your case Directory and appid will be different (i.e. Point No. 1 & 2)

Changes from Redash Backend: Update "redash/authentication/saml_auth.py’ File

This line was given me error: authn_response.ava[“FirstName”][0]
I removed old code with this new code i.e. name = email.split(".")[0] which solved my problem.

Vaibhav