Redash: [saml] Signature missing for assertion
Issue Summary
I want to config redash use keycloak as SAML backend, now I can redirect to keycloak login page and can login success, but when keycloak redirect back to redash, I got error message below:
[2018-10-17 11:49:22,787][PID:21][INFO][saml2.response] status: <?xml version='1.0' encoding='UTF-8'?>
<ns0:Status xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol"><ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></ns0:Status>
[2018-10-17 11:49:22,788][PID:21][ERROR][saml2.client_base] XML parse error: Signature missing for assertion
[2018-10-17 11:49:22,788][PID:21][ERROR][saml_auth] Failed to parse SAML response
Traceback (most recent call last):
File "/app/redash/authentication/saml_auth.py", line 73, in idp_initiated
entity.BINDING_HTTP_POST)
File "/usr/local/lib/python2.7/dist-packages/saml2/client_base.py", line 702, in parse_authn_request_response
binding, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/saml2/entity.py", line 1170, in _parse_response
response = response.verify(keys)
File "/usr/local/lib/python2.7/dist-packages/saml2/response.py", line 1018, in verify
if self.parse_assertion(keys):
File "/usr/local/lib/python2.7/dist-packages/saml2/response.py", line 930, in parse_assertion
if not self._assertion(assertion, False):
File "/usr/local/lib/python2.7/dist-packages/saml2/response.py", line 781, in _assertion
raise SignatureError("Signature missing for assertion")
SignatureError: Signature missing for assertion
My SAML config is something look like this:
SAML Metadata URL
http://xxx.xxx.xxx.xxx/auth/realms/somerelm/protocol/saml/descriptor
SAML Entity ID
redash
SAML NameID Format
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Steps to Reproduce
- first install latest redash from docker compose
- config like the config above
Technical details:
- Redash Version:5.0.0+b4754
- Browser/OS:chrome
- How did you install Redash:docker compose
rockxsj
All 8 comments
It's very strange, from the error message above, I should open the "Client Signature Required " option in keycloak, but there is no somewhere for me to set the certificate key in redash...
Is it a incorrect design?
rockxsj
on 18 Oct 2018
I solved all problems finally...
rockxsj
on 18 Oct 2018
I want to contribute some documents for integration keycloak, what should I do?
rockxsj
on 18 Oct 2018
@rockxsj documentation is always welcomed! The sources of the documentation are in github.com/getredash/website.
arikfr
on 18 Oct 2018
Hi, @rockxsj can you share your documentation to integrate to Keycloak, please?
Thank you so much
thiagodiogo
on 23 Oct 2018
@thiagodiogo Of course!
FIrst, you should make sure keep your SAML enabled, and fill with these values:
SAML Metadata URL
http://your.domain.com/auth/realms/${realmid}/protocol/saml/descriptor
SAML Entity ID
redash
SAML NameID Format
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Second, add a client named redash in keycloak with below configure:
That's all!
rockxsj
on 24 Oct 2018
@rockxsj documentation is always welcomed! The sources of the documentation are in github.com/getredash/website.
Thank's, but the documents project build failed :( I will make a retry later
rockxsj
on 24 Oct 2018
Thank you so much @rockxsj !
You saved the day here 👍
thiagodiogo
on 24 Oct 2018
Related issues
arikfr
·
4Comments
brylie
·
3Comments
koooge
·
3Comments
susodapop
·
3Comments
idoDavid
·
3Comments
Most helpful comment
@thiagodiogo Of course!
FIrst, you should make sure keep your SAML enabled, and fill with these values:
SAML Metadata URL
http://your.domain.com/auth/realms/${realmid}/protocol/saml/descriptor
SAML Entity ID
redash
SAML NameID Format
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Second, add a client named redash in keycloak with below configure:
That's all!