dpgaspar opened a new pull request, #38606:
URL: https://github.com/apache/superset/pull/38606
### SUMMARY
Flask-AppBuilder 5.1.0 added SAML authentication (`AuthSAMLView`). The
Superset backend already passes SAML providers to the frontend via bootstrap
data (`superset/views/base.py`), but the React Login component didn't handle
`AUTH_TYPE = 5` (`AUTH_SAML`), so the login page rendered empty — just "Sign
in" with no provider buttons.
This PR adds full SAML login support:
- **Frontend**: Add `AuthSAML = 5` to the `AuthType` enum and render SAML
provider buttons using the same pattern as OAuth (same provider shape `{name,
icon}` and `/login/<provider>` URL pattern)
- **Dependency**: Add `python3-saml` via `flask-appbuilder[saml]` extra in
`pyproject.toml` and pinned requirements
- **CSRF**: Exempt FAB's SAML ACS endpoint (`/saml/acs/`) from CSRF
protection — the IdP POSTs the SAML response cross-site without a CSRF token
- **Recaptcha**: Exclude SAML from the recaptcha check (like OAuth, SAML
users don't go through a self-registration form)
- **Tests**: Backend tests for SAML/OAuth bootstrap data and recaptcha
logic; frontend test for SAML provider button rendering
### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
**Before**: With `AUTH_TYPE = AUTH_SAML`, the login page shows only "Sign
in" with no buttons.
**After**: SAML provider buttons render correctly, matching the OAuth
provider button style.
### TESTING INSTRUCTIONS
1. Configure SAML authentication in `superset_config.py`:
```python
from flask_appbuilder.const import AUTH_SAML
AUTH_TYPE = AUTH_SAML
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Admin"
SAML_PROVIDERS = [
{
"name": "entra_id",
"icon": "fa-microsoft",
"idp": { ... },
"attribute_mapping": { ... },
},
]
SAML_CONFIG = { "sp": { ... }, "security": { ... } }
```
2. Verify the login page shows SAML provider buttons
3. Click a provider button and complete the SAML flow
4. Verify successful login and redirect to the welcome page
5. Run backend tests: `pytest tests/unit_tests/views/test_bootstrap_auth.py
-v`
### ADDITIONAL INFORMATION
- [ ] Has associated issue:
- [ ] Required feature flags:
- [x] Changes UI
- [ ] Includes DB Migration (follow approval process in
[SIP-59](https://github.com/apache/superset/issues/13351))
- [ ] Migration is atomic, supports rollback & is backwards-compatible
- [ ] Confirm DB migration upgrade and downgrade tested
- [ ] Runtime estimates and downtime expectations provided
- [x] Introduces new feature or API
- [ ] Removes existing feature or API
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
