Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SAML: Don't require signed assertions #1669

Closed
unixwitch opened this issue Mar 13, 2017 · 4 comments
Closed

SAML: Don't require signed assertions #1669

unixwitch opened this issue Mar 13, 2017 · 4 comments

Comments

@unixwitch
Copy link
Contributor

Currently Redash requires signed SAML assertions. This is mostly legacy functionality, and isn't needed when the response itself is signed. Most IdPs will not sign assertions by default (requiring special configuration), but will sign the response, as that's what the vast majority of SPs expect.

In saml_auth.py:

                'want_assertions_signed': True,
                'want_response_signed': False,

This should probably be reversed:

                'want_assertions_signed': False,
                'want_response_signed': True,
@arikfr
Copy link
Member

arikfr commented Mar 20, 2017

I'm not familiar enough with this, but your explanation makes sense. How about we move this configuration?

sjakthol added a commit to sjakthol/redash that referenced this issue Jan 7, 2018
@sjakthol
feat: make SAML signature requirements configurable
ed940a3 
These changes make it possible to configure if the SAML
based authentication requires the IDP to sign individual
assertions, whole response or both. These values can be
configured both globally via environmental variables or
through organization specific settings from the Admin UI
/ API.

The two environmental variables provide global defaults
for these values:

* REDASH_SAML_WANT_ASSERTIONS_SIGNED
* REDASH_SAML_WANT_RESPONSE_SIGNED

If these variables are not present, they default to the
previously hardcoded values (want_signed_assertions = True
and want_response_signed = False). This is done to ensure
existing installations do not break on upgrade. A test
has been written to ensure this behavior persists.

Alternatively, these two variables can be modified on
per-organization basis from the Admin UI. These
configurations override the global defaults set via
the environment.

Special care has been taken to ensure that it's not
possible to disable signing requirements completely. If
the two environmental variables are both disabled while
SAML is enabled, the server will instruct the user to
enable at least signing requirement and refuse to start.
Similarly, the UI will not let the user to disable both
signing requirements and the API will return a 400 response
if signing requirements are going to be disabled.

Tests have also been written to test the backend
functionality.

Closes getredash#1669.
@sjakthol sjakthol mentioned this issue Jan 7, 2018
Closed
@snyk-bot snyk-bot mentioned this issue Mar 24, 2021
Open
@snyk-bot snyk-bot mentioned this issue Sep 16, 2021
Open
be30c9 added a commit to be30c9/redash that referenced this issue Oct 12, 2021
@be30c9
Add auth_saml_sp_settings to allow configuring getredash#1669 (SAML: …
96da005 
…Don't require signed assertions)
@be30c9 be30c9 mentioned this issue Oct 12, 2021
Merged
1 task
@deed02392
Copy link

@susodapop I suppose this can be closed when the merged commit gets a tagged release?

@susodapop
Copy link
Contributor

SGTM

This was referenced Apr 12, 2022
Open
Open
@Watemlifts Watemlifts mentioned this issue May 14, 2022
Open
@arikfr
Copy link
Member

arikfr commented Apr 3, 2023

This is not related to the issue, but I assume that the issue author or followers might have SAML enabled for their deployment and should be aware of the following Security Advisory: #5961. This affects all Redash versions and should be patched immediately.

@arikfr arikfr closed this as completed Apr 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: make SAML signature requirements configurable sjakthol/redash
4 participants
@arikfr @unixwitch @deed02392 @susodapop