Open unixwitch opened 7 years ago
unixwitch
commented
7 years ago Also, looking at saml_auth.py it seems Redash assumes the NameID is the user's email address, i.e. that NameID format must be urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress. This is very implementation-specific: we prefer to use transient NameIDs and pass the email address as an attribute named urn:oid:0.9.2342.19200300.100.1.3.
ravikumargr
commented
7 years ago @unixwitch , We are planning to integrate SAML with redash through Azure Idp sso. Currently SAML authentication as documented here(https://redash.io/help-onpremise/setup/saml-authentication-and-authorization.html) is not able to follow. Could you please list what are the steps which i need follow to setup SAML authentication through Azure. Thanks for your help.
--Ravi
arikfr
commented
7 years ago @unixwitch totally makes sense to move this into the configuration. 👍
e271828-
commented
4 years ago This is partially addressed by https://github.com/getredash/redash/pull/4421
arikfr
commented
1 year ago This is not related to the issue, but I assume that the issue author or followers might have SAML enabled for their deployment and should be aware of the following Security Advisory: https://github.com/getredash/redash/discussions/5961. This affects all Redash versions and should be patched immediately.
Currently SAML authentication as documented here is quite inflexible: for example, it requires the user's given name attribute to be called
FirstName, while ours is calledurn:oid:2.5.4.42; it requires the group membership attribute to be calledRedashGroups, while ours is calledurn:oid:1.3.6.1.4.1.5923.1.5.1.1, etc.This means we have to configure special attribute resolvers in our IdP just for Redash to use. Most SAML applications allow attribute names to be configurable in the application; it would be nice if Redash supported that as well. Gitlab, for example, supports this configuration: