Azure AD - Dynamic SAML not working

Issue Summary

Users cannot authenticate with Azure as the IDP (SAML) to our Redash Instance when they select ‘SAML Login’ from the main login screen. We receive an error stating that we may have sent your authentication request to the wrong tenant. The organization name of our Redash instance is correct, we’ve checked the organizations table. The strange thing is though, that when going to office.com and selecting the Redash app the login with SAML does work. We are out of options and SAML login is a critical feature for us, any help is highly appreciated.

image

Azure Signin Error Details:

Error Code: 700016

Message: Application with identifier ‘{appIdentifier}’ was not found in the directory ‘{tenantName}’. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

Action: The application wasn’t found in the directory/tenant. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have misconfigured the identifier value for the application or sent your authentication request to the wrong tenant. Check to make sure that the application (client) ID and tenant ID configured in your code matches the application’s registration in Azure AD.

Technical details:

  • Redash Version: 10.1.0
  • Browser/OS: Edge/Firefox
  • How did you install Redash: Installed in Kubernetes using the official helm chart

What settings did you use to configure SAML in Redash? So far this looks like an issue with AD.

The SAML config in Redash looks fine. I also think it is an issue in Azure AD but no matter what we try we can’t get this to work.

In Azure, I created an Enterprise Application and Set up Single Sign-On with SAML.
The Identifier (Entity ID) & Reply URL are configured. Anyone here that could post a screenshot of how the Basic SAML Configuration should look like that would be great.

Hi, were you able to make this work?