On-premise SAML entity id configuration doesn't work

Retool-Admin · January 29, 2020, 11:02pm

I'm working with an on-premise Retool deployment on Heroku, and I want to have it use our own IDP. Following the docs on https://docs.retool.com/docs/sso-google-and-okta, I set SAML_SP_ENTITY_ID to a custom entity through the Heroku environment, but it doesn't seem to replace the default https://tryretool.com entity. Is the documentation outdated, or perhaps this doesn't work with Heroku deployments?

Retool-Admin · January 29, 2020, 11:50pm

Hi @chris-wu! are you saying that the newly specified SP entity ID isn’t being replaced in the metadata.xml? Or it’s not being replaced in the entity ID of the actual SAML AuthnRequest?

Retool-Admin · January 30, 2020, 12:02am

It’s not being replaced in the entity ID of the SAML AuthnRequest. Also, while I do see the setting for importing IDP metadata xml, I don’t see the option mentioned in the documentation to export Service Provider metadata. In my case, I did not need to export Service Provider metadata (I’m using Auth0 as IDP). If this helps, I’m using Retool version v2.53.37 (not by explicitly choosing it, it was just the latest available for on-prem at the time).

Retool-Admin · January 30, 2020, 12:04am

Oh ok - nice choice on Auth0! Give me a few while I retrace your steps, but thanks for this detail/very helpful

Retool-Admin · January 30, 2020, 1:39am

Hi @chris-wu , a few follow-on questions please -

In Auth0, did you connect to Retool using an Auth0 Application with a Saml2 Web App add-on?
Out of curiosity, what are you trying to change the SP Entity ID value to/what is the reason https://tryretool.com won’t work?

Retool-Admin · January 30, 2020, 1:41am

Yes I’m using the Saml2 web app add-on.
I’m trying to change it to https://{redacted name of startup here}-retool.herokuapp.com

Retool-Admin · January 30, 2020, 1:42am

I’m trying to change it to https://{redacted name of startup here}-retool.herokuapp.com

Retool-Admin · January 30, 2020, 1:43am

No non-alphanumeric characters besides the hyphens.

Retool-Admin · January 30, 2020, 1:45am

If I configure the Auth0 saml2 web app to accept https://tryretool.com, it then sends the SAML response to https://tryretool.com instead of my heroku deployment.

Retool-Admin · January 30, 2020, 1:47am

This is my first experience with SAML so I’m learning on the fly here.

Retool-Admin · January 30, 2020, 2:03am

Totally fair, happy to walk through it with you! Actually, would you be willing to hop on a video call sometime to go over this config, and I can compare what’s on my side to yours? Let me know if so and I can message you separately to book a time -