Redash looking for http version of URL in SAML Callback, https version is supplied leading to 500 error.

[ndom91]

Issue Summary

So I'm trying to setup SAML Auth via G Suite. I've setup the app there and in the redash settings and everything looks fine, however whenever I try to "Test SAML Auth" from Google's side I land at my redash domain and get a 500 Error.

I check the logs from the redash server container and see the following:

│   [2020-12-03 15:17:14,104][PID:15][ERROR][saml2.response] https://redash.company.com/saml/callback?org_   │
│   slug=default not in ['http://redash.company.com/saml/callback?org_slug=default']                         │
│   [2020-12-03 15:17:14,105] ERROR in app: Exception on /saml/callback [POST]                                │
│   Traceback (most recent call last):                                                                        │
│     File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1982, in wsgi_app                      │
│       response = self.full_dispatch_request()                                                               │
│     File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1614, in full_dispatch_request         │
│       rv = self.handle_user_exception(e)                                                                    │
│     File "/usr/local/lib/python2.7/site-packages/flask_restful/__init__.py", line 271, in error_router      │
│       return original_handler(e)                                                                            │
│     File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1517, in handle_user_exception         │
│       reraise(exc_type, exc_value, tb)                                                                      │
│     File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1612, in full_dispatch_request         │
│       rv = self.dispatch_request()                                                                          │
│     File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1598, in dispatch_request              │
│       return self.view_functions[rule.endpoint](**req.view_args)                                            │
│     File "/app/redash/authentication/saml_auth.py", line 79, in idp_initiated                               │
│       authn_response.get_identity()                                                                         │
│   AttributeError: 'NoneType' object has no attribute 'get_identity'                                         │
│   [2020-12-03 15:17:14,105][PID:15][INFO][metrics] method=POST path=/saml/callback endpoint=saml_auth_idp   │
│   _initiated status=500 content_type=? content_length=-1 duration=40.00 query_count=2 query_duration=3.13   │
│   [2020-12-03 15:17:14,265][PID:10][INFO][metrics] method=GET path=/favicon.ico endpoint=redash_index sta   │
│   tus=200 content_type=text/html; charset=utf-8 content_length=1441 duration=0.73 query_count=2 query_dur

As you can see the URL its looking for technically is in that array. Just the http version, not https.

Technical details:

• Redash Version: 8.0.2+b37747
• Browser/OS: Linux Chrome 86
• How did you install Redash: Docker Containers

[jhult]

Try setting the environment value REDASH_SAML_SCHEME_OVERRIDE to https.

From here,

If Redash is behind a proxy it might sometimes receive a X-Forwarded-Proto of HTTP even if your actual Redash URL scheme is HTTPS. This will cause Flask to build the SAML redirect URL incorrect thus failing auth. This is especially common if you're behind a SSL/TCP configured AWS ELB or similar. This setting will force the URL scheme.

[jhult]

Also see this pull request: #3614

[ndom91]

@jhult thanks for the info. I'm running redash via the docker-compose method in the docs, I've updated the mentioned env value, however it still seems to be looking for the http URL. I can see the new env value in the redash_server_1 container as well. Am I missing anything else?

I updated the env file, took down the containers and ran docker-compose up -d again.

[cormorando]

I encountered the same issue.
Added REDASH_SAML_SCHEME_OVERRIDE=https to /opt/redash/env and rebooted.
Then ran sudo docker exec redash_server_1 bash -c 'echo "$REDASH_SAML_SCHEME_OVERRIDE"' and variable is present
so I checked sudo docker exec -it redash_server_1 python manage.py shell

>>> from redash import settings
>>> print(settings.SAML_SCHEME_OVERRIDE)
Traceback (most recent call last):
  File "<console>", line 1, in <module>
AttributeError: 'module' object has no attribute 'SAML_SCHEME_OVERRIDE'

Env variable is not imported? Others are there. How to fix this?

[cormorando]

I found what the issue is. @jhult the code you mentioned is in v9.0.0-beta and all AMIs in docs use v8.0.0. Do you provide AMI with v9.0.0-beta? Or should I set it up by myself?

@ndom91 you're probably using v8 too so setting this env var has no right to work

[jhult]

Sorry, I don't know if an AMI is provided for v9.0.0-beta. I'm just another user that found that config. I actually use the Helm chart with the latest Redash version.

[ndom91]

@cormorando your right. I was still on v8. Upgraded to v9-beta and now that error is gone, however I'm still getting errors regarding saml2.sigver.SignatureError: Signature missing for assertion.

I'm trying to use Google aus SAML provider btw, not Okta or Auth0. Also I noticed in the docs theres now apparently support for Google OAuth, but I dont see that in my settings using v9.0.0-beta

[jcolinger3]

Wondering about the Google OAuth as well. I don't see it. Is it included in Community?

[susodapop]

Redash should work with any SAML 2.0 provider. Google login also works. There's no difference between the OSS and paid versions in this regard.

[jcolinger3]

Our Settings looks nothing like these options in the doc link below... we are using Version: 8.0.0+b32245

https://redash.io/help/user-guide/users/authentication-options

Our options. And when SAML is checked the Meta, Entity, and Name input fields show up. Nothing about Google Domains.

[griffinator76]

@jcolinger3 If you look closely the screenshot in the online docs says "Redash 4.0.0" at the bottom, not sure what's going on there but anyway yes Google OAuth does work with Redash 8.x community version as I've set it up several times.

@ndom91 @cormorando your issue sounds like it might be the same as this one #4048 (which was for an older version of Redash but I think may still be valid for version 8).

[ndom91]

@griffinator76 where are you seeing options to setup google oauth in the community edition?

I'm runnign v9.0.0-beta and don't see it anywhere 🤔

[griffinator76]

Hi @ndom91 I can't speak to the v9 beta as I am running the v8 release but to get Google authentication working I have used the following:

1. Follow these steps to set up a Google Developer account (if you don't already have a GCS account) and generate some credentials https://redash.io/help/open-source/admin-guide/google-developer-account-setup

2. Complete the steps under "Google OAuth Setup" setup here: https://redash.io/help/open-source/setup#other

The above works for me as I'm running the AWS EC2 image that uses this docker setup. If you have a bespoke deployment e.g. Kubernetes then you might need further steps.

Note you need to have published your Redash instance publicly on the web and secured it with HTTPS for this to work.

[griffinator76]

@ndom91 note that the above doesn't involve using the SAML settings.

[arikfr]

This is not related to the issue, but I assume that the issue author or followers might have SAML enabled for their deployment and should be aware of the following Security Advisory: #5961. This affects all Redash versions and should be patched immediately.

[fedeostrit]

hi everyone, is there a way to do this using the community helm chart that currently uses the redash image 10.0.0.b50363? I don't know if this solution to use the "REDASH_SAML_SCHEME_OVERRIDE" works for Google Oauth since the same problem occurs when you use Redash with Google Oauth with an AWS NLB in front of the solution to make SSL offload