Redash trying to get SAML’sFederationMetadata.xml from a self-sign ADFS server. Python package named certifi did not update with your new CA’s certificate.
How to solve?
Find certifi’s cacert.pem and update it.
In terminal, type python to access its interactive shell. Then, type the following command.
In this case, it’s /usr/local/lib/python3.7/site-packages/certifi/cacert.pem.
Append your CA’s certificate to cacert.pem.
How to test?
In terminal, type python to access its interactive shell. Then, type the following command.
Only need to use extract CA’s certificate. Export it with file extension named .pem
Please take a note that, update-ca-trust determines certificate format using file header which locates in very first bytes in the binary file. Eventhough you save certificates with .crt , .cer, it’s still .pem.
To determine file format, you shoule use command file, for example $ file file_name.
To illustrate this point. I’ll give an example.
Step 2. Copy certificate authority’s certificate to /etc/pki/ca-trust/source/anchors
Step 3. Update /etc/ssl/certs/ca-certificates.crt
You can check this file /etc/ssl/certs/ca-certificates.crt to ensure that it is updated.
Solution: Add connection parameter named :read_timeout in repo config. In the follow example, I change :read_timeout to 5 minutes, see line 11.
Besides, I add :timeout to :infinity, see line 10.
Realms
A realm manages a set of users, credentials, roles, and groups. A user belongs to and logs into a realm. Realms are isolated from one another and can only manage and authenticate the users that they control.
Realms (Tiếng Việt): cõi, địa hạt, vương quốc, vùng
Một realm quản lý một tập hợp user, thông tin xác thực - credential, role và group. Một user sẽ thuộc một realm, một realm sẽ có nhiều user, user sẽ đăng nhập vào reaml mà nó thuộc về. Một server KeyCloak tạo được rất nhiều realm, và chúng bị cô lập với nhau. Những realm này chỉ có thể quản lý và cho đăng nhập những user mà chúng quản lý.
As the definition of realm , this step is only used for testing only, normaly, if your KeyCloak did create a realm, you can skip this step and go to step 2.
Step 2: Create new reaml’s client & configure it
In new client form, I would like to input the following parameters, then submit.
In the saml response that Redash expected to received, it requires
First Name (original), this attibute name is FirstName
Last Name (original), this attribute name is LastName
However, in the KeyCloak, the attribute names are different from what Redash expected, as a consequence, we need to configure client’s mappers
For first name and last name, use Add Builtin feature.
X500 Surname
Property: lastName
Friendly Name: LastName
SAML Attribute Name: LastName
X500 GivenName
Property: firstName
Friendly Name: FirstName
SAML Attribute Name: FirstName
II. Redash SAML Configuration
After login using admin credential, go to Settings → General → Saml