Force saml auth scheme

redash/authentication/saml_auth.py

@@ -1,5 +1,6 @@
 import logging
 from flask import flash, redirect, url_for, Blueprint, request
+from redash import settings
 from redash.authentication import create_and_login_user, logout_and_redirect_to_index
 from redash.authentication.org_resolving import current_org
 from redash.handlers.base import org_scoped_rule
@@ -20,7 +21,12 @@ def get_saml_client(org):
     """
     metadata_url = org.get_setting("auth_saml_metadata_url")
     entity_id = org.get_setting("auth_saml_entity_id")
-    acs_url = url_for("saml_auth.idp_initiated", org_slug=org.slug, _external=True)
+
+    if settings.SAML_SCHEME_OVERRIDE:
+        acs_url = url_for("saml_auth.idp_initiated", org_slug=org.slug, _external=True,
+                          _scheme=settings.SAML_SCHEME_OVERRIDE)
+    else:
+        acs_url = url_for("saml_auth.idp_initiated", org_slug=org.slug, _external=True)
 
     saml_settings = {
         'metadata': {

redash/settings/__init__.py

@@ -59,6 +59,13 @@ def all_settings():
 GOOGLE_CLIENT_SECRET = os.environ.get("REDASH_GOOGLE_CLIENT_SECRET", "")
 GOOGLE_OAUTH_ENABLED = bool(GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET)
 
+# If Redash is behind a proxy it might sometimes receive a X-Forwarded-Proto of HTTP
+# even if your actual Redash URL scheme is HTTPS. This will cause Flask to build
+# the SAML redirect URL incorrect thus failing auth. This is especially common if
+# you're behind a SSL/TCP configured AWS ELB or similar.
+# This setting will force the URL scheme.
+SAML_SCHEME_OVERRIDE = os.environ.get("REDASH_SAML_SCHEME_OVERRIDE", "")
+
 # Enables the use of an externally-provided and trusted remote user via an HTTP
 # header.  The "user" must be an email address.
 #