SAML configuration unclear (documentation update needed)

[RickyRomero]

I'll caveat this by saying that although I have a lot of web development experience, I haven't integrated SAML before. (My authentication experience is mainly with OAuth and OIDC.)

I got an installation of Grist and Authentik running, and they both appear to be working independently, but not together. I'm trying to figure out the correct config to get them to talk to one another. I can go to Authentik and log in, but when redirected back to Grist I get a 404:

I set up Grist as an application in Authentik, and set its provider as a SAML 2.0 provider. This is the config I'm using:

(I changed the domain for this screenshot.)

I got the ACS URL shown from SamlConfig.ts.

I set the service provider binding to Redirect. Not sure if that makes a difference. The only advanced protocol settings I changed were the signing and validation certificates since they're required by Grist.

[RickyRomero]

For completeness, here are the environment variables I've set for Grist.

GRIST_SAML_SP_HOST=https://grist.example.com
GRIST_SAML_SP_KEY=/saml/snakeoil-sp.key
GRIST_SAML_SP_CERT=/saml/snakeoil-sp.pem
GRIST_SAML_IDP_LOGIN=https://auth.example.com/application/saml/grist/sso/binding/redirect/
GRIST_SAML_IDP_LOGOUT=https://auth.example.com/application/saml/grist/sso/binding/redirect/
GRIST_SAML_IDP_CERTS=/saml/snakeoil-idp.pem

[paulfitz]

There are some notes on Grist+Authentik here https://www.reddit.com/r/selfhosted/comments/su6tv3/grist_free_open_source_alternative_to_airtable/hxghbc4/?context=3 The main significant difference I see on the Authentik side is setting the service provider binding to Post. GRIST_SAML_IDP_LOGOUT is different but that won't matter at first :-) When redirected back to Grist, and getting a 404, what URL do you end up at?

[RickyRomero]

That Reddit post was helpful. I changed Service Provider Binding to Post, then added GRIST_SAML_IDP_UNENCRYPTED=1 to my environment variables. My installation works now.

Thank you! :+1::+1::+1: