redash icon indicating copy to clipboard operation
redash copied to clipboard

Published 20 hours ago verified publisher icon getredash

SAML: Don't require signed assertions

Open unixwitch opened this issue 7 years ago • 3 comments

Currently Redash requires signed SAML assertions. This is mostly legacy functionality, and isn't needed when the response itself is signed. Most IdPs will not sign assertions by default (requiring special configuration), but will sign the response, as that's what the vast majority of SPs expect.

In saml_auth.py:

                'want_assertions_signed': True,
                'want_response_signed': False,

This should probably be reversed:

                'want_assertions_signed': False,
                'want_response_signed': True,

unixwitch avatar Mar 13 '17 14:03 unixwitch

I'm not familiar enough with this, but your explanation makes sense. How about we move this configuration?

arikfr avatar Mar 20 '17 09:03 arikfr

@susodapop I suppose this can be closed when the merged commit gets a tagged release?

deed02392 avatar Mar 29 '22 11:03 deed02392

SGTM

susodapop avatar Apr 07 '22 15:04 susodapop

This is not related to the issue, but I assume that the issue author or followers might have SAML enabled for their deployment and should be aware of the following Security Advisory: https://github.com/getredash/redash/discussions/5961. This affects all Redash versions and should be patched immediately.

arikfr avatar Apr 03 '23 20:04 arikfr