redash icon indicating copy to clipboard operation
redash copied to clipboard

Published 20 hours ago verified publisher icon getredash

SAML entityID is different than value in settings

Open mat02 opened this issue 3 years ago • 7 comments

Hi all! I've been trying to connect ReDash SAML authentication to Keycloak server. Unfortunately, Keycloak refused login requests due to invalid client ID. After many hours of debugging I've noticed that entityID for Saml authentication is replaced by callback URL: https://github.com/getredash/redash/blob/d8d7c78992e44a4b6d7fdd4c39ccc1c35cd8c7a9/redash/authentication/saml_auth.py#L89

After changing Client ID in Keycloak to http:///saml/callback?org_slug=default it finally worked.

This is my first attempt at both ReDash and Saml, so I don't know if this is a bug or something perfectly normal ;)

mat02 avatar Jul 08 '21 17:07 mat02

Hi @mat02 thanks for reporting this. We'll look into this. It could be something specific to keycloak's implementation or a general bug. Either way, we should probably make this more configurable.

susodapop avatar Jul 23 '21 15:07 susodapop

any updates on this? we're facing the same issue but the above solution didn't work here 😞

kaiquerass avatar Mar 02 '22 16:03 kaiquerass

Hi @kaiquerass can you post more details about the error you're seeing?

susodapop avatar Mar 02 '22 16:03 susodapop

Sure! I've updated from v8 to v10 and we use Keycloak server for authentication. In v8, it was working perfectly, but after upgrade, Keycloak is returning an error with a message "client_not_found". I've changed the client ID in keycloak with the callback URL, as mat mentioned, but it didn't solve, still having errors.

kaiquerass avatar Mar 02 '22 16:03 kaiquerass

Hello guys, any update on this error?

I am running Redash V10 but I'm also receiving the message client_not_found.

Logs from keycloak

14:54:59,223 WARN [org.keycloak.events] (default task-18496) type=LOGIN_ERROR, realmId=internal, clientId=null, userId=null, ipAddress=XXXXXXXXXXXX, error=client_not_found, reason=Cannot_match_source_hash

I tried the solution above but it didn't work.

brunorb86 avatar Mar 16 '22 13:03 brunorb86

Hey @brunorb86. I found a solution for me. Now it's working. I had to create a new client with the callback URL as the name and I had to change the SAML atributes in Mappers, as described here.

In my case I had to disable the Sign Documents flag too, that was enabled by default.

Hope it fixes for you too. 🙂

kaiquerass avatar Mar 16 '22 13:03 kaiquerass

Hey @brunorb86. I found a solution for me. Now it's working. I had to create a new client with the callback URL as the name and I had to change the SAML atributes in Mappers, as described here.

In my case I had to disable the Sign Documents flag too, that was enabled by default.

Hope it fixes for you too. slightly_smiling_face

Thanks @kaiquerass it worked.

brunorb86 avatar Mar 23 '22 12:03 brunorb86

This is not related to the issue, but I assume that the issue author or followers might have SAML enabled for their deployment and should be aware of the following Security Advisory: https://github.com/getredash/redash/discussions/5961. This affects all Redash versions and should be patched immediately.

arikfr avatar Apr 03 '23 20:04 arikfr