SAML, Keycloak and HTTPS

Issue Summary

I have a keycloak server running at https://myhost.co.uk/auth and a redash server at https://redash.myhost.co.uk. The services sit behind an nginx reverse proxy, which handles all the ssl.

Previously I’ve set up a dev server with SAML authentication between the two services without https and could successfully log in (Following these extremely useful steps: [saml] Signature missing for assertion · Issue #2977 · getredash/redash · GitHub).

Now for my production server I need to enforce https. When I go to login the auth request made by redash looks like this:

<ns0:AuthnRequest 
        xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" 
        xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" 
        AssertionConsumerServiceURL="http://redash.myhost.co.uk/saml/callback?org_slug=default" 
        Destination="https://myhost.co.uk/auth/realms/master/protocol/saml" 
        ID="id-someId" 
        IssueInstant="2022-01-06T17:23:06Z" 
        ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
        Version="2.0"
>
        <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">redash</ns1:Issuer>
        <ns0:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
</ns0:AuthnRequest>

This results in keycloak displaying invalid_redirect_uri and i’m unable to login.

This makes sense, Keycloak should only be able to redirect to https://redash.myhost.co.uk/saml/callback?org_slug=default but the AssertionConsumerServiceURL above is http://redash.myhost.co.uk/saml/callback?org_slug=default

Is there a way to tell redash to send https in the authentication request?

Technical details:

  • Redash Version: 8.0.0+b32245 (a16f551e)
  • Browser/OS: google chrome Version 96.0.4664.110 (Official Build) (64-bit)/Ubuntu 20.04
  • How did you install Redash: Docker-compose

Aha, I think I fixed it. In the docker-compose I added the environment variable to the server:

REDASH_ENFORCE_HTTPS: "true"

Also in my nginx config I was missing a few headers, editing it so it matches the config on this page makes it work: