Has anyone successfully integrated FusionAuth with Metabase using SAMLv2?
-
I'm a regular user of both Fusionauth and Metabase, but I've hit a wall trying to integrate the two using FA as the IdP and MB as the SP. Have others successfully created workable FA>MB SAML solutions?
My intended flow: https://my.website.com (Site) > https://metabase.website.com/auth/sso (ACS/redirect, authenticated by FA) >
https://my.website.com/metabase (Interactive embedded MB page)I keep getting the following error: The SAML AuthnRequest was invalid or did not pass validation. The error code is [Requester] and the error message is [Invalid AssertionConsumerServiceURL].
Metabase isn't correctly signing the SAML auth request. Their request encodes https://metabase.website.com/ as the ACS URL despite https://metabase.website.com/auth/sso being hardcoded in MB.
I suspect the issue is with Metabase due to a number of inconsistencies in their configs and docs, but I'm not 100% certain. For instance, I kept receiving an FA application mapping error until I replaced the "Application Name" field in Metabase (default = 'metabase') with the SAML certificate Issuer domain url.
I'm starting here because 1) anomalies/screwy documentation on Metabase's part make it clear that any solutions likely lie outside their wheelhouse, and 2) this group has likely found a number of creative Metabase integrations that I haven't considered.
Thanks in advance. Let me know if I can provide any specific configs or debugs.
-
@admin-9 I have not worked with Metabase, so I don't think I can be of help there. I do want to make sure you have seen the documentation on configuring FusionAuth as the Service Provider.
It is worth noting the bit about opening up a request for FusionAuth to provide additional examples on Github. It may be worth you time to do that.