diff --git a/redash/authentication/saml_auth.py b/redash/authentication/saml_auth.py index c34b212be7..94030f276b 100644 --- a/redash/authentication/saml_auth.py +++ b/redash/authentication/saml_auth.py @@ -1,5 +1,6 @@ import logging from flask import flash, redirect, url_for, Blueprint, request +from redash import settings from redash.authentication import create_and_login_user, logout_and_redirect_to_index from redash.authentication.org_resolving import current_org from redash.handlers.base import org_scoped_rule @@ -20,7 +21,12 @@ def get_saml_client(org): """ metadata_url = org.get_setting("auth_saml_metadata_url") entity_id = org.get_setting("auth_saml_entity_id") - acs_url = url_for("saml_auth.idp_initiated", org_slug=org.slug, _external=True) + + if settings.SAML_SCHEME_OVERRIDE: + acs_url = url_for("saml_auth.idp_initiated", org_slug=org.slug, _external=True, + _scheme=settings.SAML_SCHEME_OVERRIDE) + else: + acs_url = url_for("saml_auth.idp_initiated", org_slug=org.slug, _external=True) saml_settings = { 'metadata': { diff --git a/redash/settings/__init__.py b/redash/settings/__init__.py index efb2a1cd25..f95cfa0906 100644 --- a/redash/settings/__init__.py +++ b/redash/settings/__init__.py @@ -59,6 +59,13 @@ def all_settings(): GOOGLE_CLIENT_SECRET = os.environ.get("REDASH_GOOGLE_CLIENT_SECRET", "") GOOGLE_OAUTH_ENABLED = bool(GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET) +# If Redash is behind a proxy it might sometimes receive a X-Forwarded-Proto of HTTP +# even if your actual Redash URL scheme is HTTPS. This will cause Flask to build +# the SAML redirect URL incorrect thus failing auth. This is especially common if +# you're behind a SSL/TCP configured AWS ELB or similar. +# This setting will force the URL scheme. +SAML_SCHEME_OVERRIDE = os.environ.get("REDASH_SAML_SCHEME_OVERRIDE", "") + # Enables the use of an externally-provided and trusted remote user via an HTTP # header. The "user" must be an email address. #