Configure ReDash with ADFS - sso

We are using ADFS 5. We have added our SAML information in REdash and configured AD FS with the ReDash call back information. Once i click the SAML login on the Redash page, we are redirected to an error page.

We have EmailAddress set as the NameID.

Has anyone seen this before? I have personally never seen this before.

“The SAML protocol message cannot be read because it contains data that is not valid.”

What do you see in your Redash logs? Have you checked that your SAML metadata file is valid?

The logs looks fine. It looks like its configured correctly. Yes, the SAML metadata file is valid. Its being used by other applications.

I was able to get it working. In the name ID, i had EmailAddress instead of the SAML format.

Now i get another error.

We entered the saml information for SAML Metadata URL, SAML Entity ID and SAML NameID Format. We are directed to our login page. Once i log in, we get this message.

  • Error details: MSIS7085: The server requires a signed SAML authentication request but no signature is present.

The signed SAML authentication request is currently set to false but it still comes up.

Any ideas?

What if you set it to true?

I did set it to True and the same message comes up. Do you know anyone that has ReDash working with ADFS?

I removed the ReDash configuration within ADFS and the error message “The server requires a signed SAML authentication request but no signature is present.” comes up anyway. I also did set the SAML authentication request at the ADFS level to True (false by default) and the error message still comes up.

Thank you for your responses! Bumping the thread, as we’ve been unable to solve this so far. Any further ideas @k4s1m?

Are you using self-hosted? What do your logs show? If you’re using app.redash.io you can check with their support.

Another common culprit is to have the incorrect groups configured for your users.

Also double check that the SAMLNameID you entered in Redash matches the one shown in your metadata file.

Hello,

Yes we are self hosted. This is what the logs show.

Exception details:
Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureVerificationException: MSIS7085: The server requires a signed SAML authentication request but no signature is present.
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateSignatureRequirements(SamlMessage samlMessage)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Exception details:
MSIS7085: The server requires a signed SAML authentication request but no signature is present.

This request failed.

User Action
Verify that the message issuer configuration in the AD FS configuration database is up to date.
Configure the signing certificate for the specified issuer.
Verify that the issuer’s certificate is up to date.
Verify the issuer and server message signing requirements.

We did not configure any groups The saml nameID is working because I am able to sign into redash using IDP Initiated. I would like to see this working using SP initiated.

I think this could be an issue with the NGINX configuration. You mentioned you can log-in from your IDP. What happens when you click “SAML Login” from the Redash login page?

Hey @k4s1m, thanks again. When logging in through the SAML login button we are redirected to our IDP authentication page ok. Authentication with ADFS is successful once we enter our credentials, however the IDP throws an error at that point that states:

  • Error details: MSIS7085: The server requires a signed SAML authentication request but no signature is present.

You mentioned this could be an nginx configuration problem. What kind of nginx config options are you thinking about here? Here’s the nginx config from inside the container:

root@4f5fcd1a3b0b:/# more /etc/nginx/nginx.conf

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

root@4f5fcd1a3b0b:/etc/nginx# more conf.d/default.conf
upstream redash {
  server redash:5000;
}

server {
  listen   80 default;

  gzip on;
  gzip_types *;
  gzip_proxied any;

  location / {
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;

    proxy_pass       http://redash;
  }
}

Thanks for that. I doubt NGINX is the culprit. I’ve seen it before where clicking SAML Login on the Redash login screen resulted in a 500 error because of an outdated NGINX version. But it sounds like this button properly routes you to the IDP. No dice.

Do I understand the warning correctly? Is Microsoft expecting Redash to send a signed request? Or is Redash expecting Microsoft to send a signed request?

Sorry for the slow response.

Is Microsoft expecting Redash to send a signed request?

The way i understand it, microsoft is expecting the server to send signed requests, but it’s not, or it’s not able to recognize it as a signed request. There is a way to turn off this requirement on the ADFS side, but I believe we’ve tried this and it didn’t change the outcome.
https://social.msdn.microsoft.com/Forums/vstudio/en-US/88394bb2-9dad-45fd-8dfa-60155d2af37c/msis1015-server-required-signed-saml-authenticationrequest-but-no-signature-present?forum=Geneva

Any update on this? we have very similar error

We did not get anywhere on this i’m afraid. Let us know if you find a solution!