Okta SAML log in isn't working after upgrade to v25.1.0

[batzsalmassi]

Issue Summary

After upgrading the V25 the SAML connection stopped working.

Steps to Reproduce

Tried to re-configure the SAML Connection to Okta but it still didn't let me log into redash with the Okta SAML.

On a specific redash server that on v10 the SAML still working

Technical details:

• Redash Version: 25.1.0
• Browser/OS: Chrome
• How did you install Redash:Docker

[BowlesCR]

Okta SAML is working fine for me on 25.1 -- maybe check that your secrets didn't get overwritten?

[batzsalmassi]

Okta SAML is working fine for me on 25.1 -- maybe check that your secrets didn't get overwritten?

Do you mean the SAML settings under the Settings > General tab?
They are matching the Okta Sign on Tab configuration but still giving me "SAML login failed. Please try again later." when trying to log into redash via Okta.
With local login (Redash user & password) it's logging in
Are you using the Dynamic SAML?

[batzsalmassi]

For some reason the redash-server container log giving that it's not succeed to parse the AudienceRestrictions even though I made sure that it's configured on the correct AudienceRestrictions.
It's happening with all our redash envs that we've upgrade to V25.1 except of 1 redash env that is still on v10
On Okta side the log of showing that the login was successfully, so IDK what can be the issue

XML parse error: AudienceRestrictions conditions not satisfied! (Local entity_id=https://my-company.okta.com/app/exkdhzjhrbHkCecvh5d7/sso/saml)
[2025-02-17 16:37:11,485][PID:9][ERROR][saml_auth] Failed to parse SAML response
Traceback (most recent call last):
File "/app/redash/authentication/saml_auth.py", line 117, in idp_initiated
authn_response = saml_client.parse_authn_request_response(
File "/usr/local/lib/python3.10/site-packages/saml2/client_base.py", line 793, in parse_authn_request_response
resp = self._parse_response(xmlstr, AuthnResponse, "assertion_consumer_service", binding, **kwargs)
File "/usr/local/lib/python3.10/site-packages/saml2/entity.py", line 1503, in _parse_response
response.verify(keys)
File "/usr/local/lib/python3.10/site-packages/saml2/response.py", line 1027, in verify
if self.parse_assertion(keys):
File "/usr/local/lib/python3.10/site-packages/saml2/response.py", line 919, in parse_assertion
if not self._assertion(assertion, False):
File "/usr/local/lib/python3.10/site-packages/saml2/response.py", line 808, in _assertion
if not self.condition_ok():
File "/usr/local/lib/python3.10/site-packages/saml2/response.py", line 612, in condition_ok
raise Exception(f"AudienceRestrictions conditions not satisfied! (Local entity_id={self.entity_id})")
Exception: AudienceRestrictions conditions not satisfied! (Local entity_id=https://my-company.okta.com/app/exkdhzjhrbHkCecvh5d7/sso/saml)
[2025-02-17 16:37:11,485][PID:9][INFO][metrics] method=POST path=/saml/callback endpoint=saml_auth_idp_initiated status=302 content_type=text/html; charset=utf-8 content_length=199 duration=833.25 query_count=1 query_duration=1.73

[batzsalmassi]

Update, I've setup a brand new redash server with the setup.sh script, and it created a redash compose with the redash v[10.1.0.b50633] image.

I've configured a new okta app for the SAML Login, and the SAML login worked as expected.
I upgraded the new redash server to the redash image v25.1 and after the upgrade, I've tried to re-login via the SAML login, and got the same error message as I added above, for the new Okta app.
I think it's related to the v25.1 somehow after the upgrade it's messing the SAML Login functionality, and giving that SAML error.

@BowlesCR How did you perform the upgrade from v10 to v25?

[BowlesCR]

My install is on kubernetes via Helm chart. It looks like my SAML config is passed in the helm chart values (equivalent to env vars in your Docker Compose), so its very possible that there is some breaking change for configs stored in the DB that wouldn't impact my install.

[batzsalmassi]

@BowlesCR Can you share the helm-chart / documentation that you used for setting the redash via helm-chart on eks?

[BowlesCR]

I'm using the community-maintained "official" chart: https://github.com/getredash/contrib-helm-chart and overriding image.tag to 25.01.0-dev in my values file.