Azure AD Integration with Redash SAML [ SSO ]

Redash is very popular data analytics tool which is used to visualise, explore, query data from multiple data sources. It also provides SAML Based authentication option which can used to setup Single Sign-in [SSO] with different kind of SAML based options. It gives flexibility to Setup SAML Based Authentication Redash because unlike Azure Active directory , there are lots of softwares which supports and provide SAML support. Azure active directory also provide Azure AD SAML Toolkit option, which organisation can utilise to create SAML based authentication with Redash.

Azure Active Directory Setup

Step 1: Click on the Left top bar to get List of options provided by Microsoft Azure.

Step 2: Click on Azure Active Directory

Step 3: Once you get all the option, Under Manage section, you will see Enterprise applications, Click on Enterprise applications

Step 4: Now, we need to create a new application, Click on + New Application

Step 5: Now, under search section, search for azure ad SAML toolkit, and click on the first result as shown below

Step 6: Now, give a proper name

Step 7: Once, you provide all information, create New application

Step 8: Now, Under Manage section of enterprise application that you created, click on Single sign-on

Step 9: Click on Set up single sign on to create single sign on.

Step 10: Now, click on Security Assertion Markup Language (SAML)

Step 11: Once you click on SAML, you will see option of Attributes & Claims, click to setup new claims which is required for Redash.

Step 12: Now, click on Add new claim to to add new claim

Step 13: Now, add Name & Source attribute as shown in below diagram.

Name - FirstName
Source Attribute - user.givenname

Step 14: Once you save for FirstName claim, repeat Step 12 to create a new claim for different source attribute.

Name - LastName
source attribute - user.surname

Step 15: Once you add, click on SAML-based Sign-on, to getback to main menu of application.

Step 16: Confirm below claim, if not, repeat from step 12.

Step 17: Now, Under SAML Signing Certificate, copy App Federation Metadata Url & Under Setup up <APPLICATION-NAME>, copy Azure AD Identifier

Step 18: Now, create a note or copy below Value in that note

1. App Federation Metadata URL

https://login.microsoftonline.com/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/federationmetadata/2007-06/federationmetadata.xml?appid=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

2. Azure AD Identifier

https://sts.windows.net/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/

3. self hosted Redash Reply URL

https://redash.domain_name.com/saml/callback?org_slug=default

4. Self hosted Redash URL

https://redash.domain_name.com/

5. SAML Name ID Format

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

NOTE — replace “redash.domain_name.com” with your domain name

Step 19: Now, we are going to use above value in setting up Basic SAML Configuration, which is mandatory part of setting up Single Sign On.

Step 20: Under Identifier (Entity ID), add Azure AD Identifier [ Value 2] from Step 18 that starting with “https://sts”

Step 21: Now add Reply URL, Copy value from from Step 18 Self hosted Redash Reply URL [ Value 3]

Step 22: Add sign on URL from Step 18 [Value 4]

NOTE: This is the configuration we required to setup from Azure AD part. Now, we will setup Redash part in which we will integrate between Redash & Azure AD.

Redash

Step 1: Login into user which has full or Admin permission [This will be require to change the SAML configuration which can be only modify using Admin permission].

Step 2: Once you login using Admin user, click on the configuration icon as show below or go to Redash configuration console.

Step 3: Now, click on Settings to setup SAML configuration

Step 4: Under Authentication section, you will see SAML option is disabled by default. To enable SAML, click on the SAML enabled square box.

Step 5: Once you enabled SAML, it will ask for few values as shown below,

SAML Metadata URL [ 1 ]

https://login.microsoftonline.com/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/federationmetadata/2007-06/federationmetadata.xml?appid=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

SAML Entity ID [ 2 ]

https://sts.windows.net/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/

SAML NameID Format [ 5 ]

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Step 6: Once you provide all the values, click on save. Once it will save that configuration without any error. It will give you option of Password Login Enabled option under Authentication section. This will disable or enable default password login for self hosted Redash.

NOTE: Once you can confirm that Redash SAML [SSO] is working properly, you can disable password login after Redash SAML confirmation.

User Management

Step 1: To create user, under Application that you created, under manage section, Click on Users and groups,

Step 2: CLick on Add user/group to add existing user or group

Step 3: Under Add Assignment section, click on None Selected to add existing user or group

Step 4: Select user or group which you want to add. Once select all the user, select those user.

Authentication Testing

Once you completed all the above steps. Open new login or relogin using SAML Login

Once you select your current user to login into Redash, it will give you Redash login page. If not, check above steps that you performed.

Conclusion

Redash SAML is one of the advance feature provided by Redash. But unfortunately there are no proper official documentation or community documentation which provides detailed understanding and configuration of widely Active directory SAML support with Redash. So, we created this blog to provide detailed step guide through which we can integrate Azure Active directory with Redash SAML.

References

• https://discuss.redash.io/t/azure-ad-sso-saml-howto-guide/8257
• https://discuss.redash.io/t/azure-ad-saml-reply-url/5823
• https://discuss.redash.io/t/upgrade-to-9-saml-failure/7963