GitHub user dosubot[bot] added a comment to the discussion: How to enable Alerts/Reports/Thumbnails with SSO-only authentication in Superset?
<!-- Greeting --> Hi @marcosmamorim! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> Enabling Alerts, Reports, and Thumbnails in Superset with SSO-only (OAuth) authentication is a common challenge, as headless browsers like Playwright or Selenium are redirected to the SSO login page, resulting in blank or login screenshots. Here’s what is known and what you can try: **1. Why this happens:** Superset’s async tasks (alerts, reports, thumbnails) impersonate a user context using an executor pattern. When generating screenshots, the worker tries to access dashboards as a specific user, but with SSO-only setups, the headless browser cannot easily authenticate, so it gets redirected to the login page instead of rendering the dashboard/chart [[source](https://github.com/apache/superset/blob/c09f8f6f7665e503a376926700fa815add6892ca/superset/tasks/utils.py)]. **2. No official plugin or built-in workaround exists** for SSO-only environments as of Superset 4.1.1. This is a known limitation and has been discussed in various threads, but there is no out-of-the-box solution for Playwright or Selenium to bypass SSO for background tasks. **3. Best-practice workarounds:** - **Guest Token (Embedded) Approach:** If your use case allows, you can use Superset’s Guest Token feature to grant access to dashboards without requiring a login. This is typically used for embedding dashboards but can be adapted for headless browser access. Enable the `EMBEDDED_SUPERSET` feature flag, set up `GUEST_TOKEN_JWT_SECRET`, and generate guest tokens for the resources you want to access. This allows the headless browser to access dashboards as a guest user, bypassing SSO [[discussion](https://github.com/apache/superset/discussions/31949)]. - **Public Role (if security allows):** For non-sensitive dashboards, you can enable the `Public` role and assign it to the dashboards/charts you want to screenshot. This allows unauthenticated access, so the headless browser won’t be redirected to SSO. Set `PUBLIC_ROLE_LIKE = "Gamma"` in your config if you want the public role to have Gamma-like permissions. - **Machine Auth Cookie:** Superset uses a “machine auth” provider to generate cookies for background tasks. If you can configure a service account in your SSO provider and ensure the worker can authenticate as this user (for example, by pre-generating a session cookie or using a fixed user with a long-lived session), you can set up the executor to always use this account. However, this often requires custom SSO integration and is not natively supported with OAuth-only flows. **4. Playwright/Selenium configuration tips:** If you are not blocked by SSO, but see timeouts or blank screenshots, increase `SCREENSHOT_LOCATE_WAIT` and `SCREENSHOT_LOAD_WAIT` in `superset_config.py` (e.g., 30 and 60 seconds) [[issue](https://github.com/apache/superset/issues/33132)]. For Selenium, use recommended headless Chrome options (`--headless`, `--no-sandbox`, etc.) [[issue](https://github.com/apache/superset/issues/33602)]. **5. Feature flags:** Try enabling the `PLAYWRIGHT_REPORTS_AND_THUMBNAILS` feature flag and related Playwright config options for alternate screenshotting logic [[issue](https://github.com/apache/superset/issues/33602)]. **6. Executor pattern and user impersonation:** Superset’s async tasks use the executor pattern to impersonate a user (owner, creator, fixed user, etc.) for permission checks and data access. If you can ensure that the impersonated user has a valid session (via guest token, public role, or machine auth), screenshots and reports will work as expected [[source](https://github.com/apache/superset/blob/c09f8f6f7665e503a376926700fa815add6892ca/superset/tasks/thumbnails.py)]. **Summary:** There is no official, fully supported way to bypass SSO for alerts/reports/thumbnails in Superset 4.1.1. The most robust workaround is to use Guest Tokens for embedded dashboards or to make dashboards public if security allows. Otherwise, you would need to implement a custom solution to provide a valid session for the headless browser, which may require changes to your SSO provider or Superset’s authentication logic. If you need more details on configuring Guest Tokens or public dashboards, let me know! <!-- Dosu Comment Footer --> *To reply, just mention my name [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/4c56cee5-8e3a-4f66-8c1f-d3ecb15bb293?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/4c56cee5-8e3a-4f66-8c1f-d3ecb15bb293?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/4c56cee5-8e3a-4f66-8c1f-d3ecb15bb293?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/4c56cee5-8e3a-4f66-8c1f-d3ecb15bb293?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/4c56cee5-8e3a-4f66-8c1f-d3ecb15bb293?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/4c56cee5-8e3a-4f66-8c1f-d3ecb15bb293?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/4c56cee5-8e3a-4f66-8c1f-d3ecb15bb293?feedback_type=other)</sup> [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/33654) GitHub link: https://github.com/apache/superset/discussions/33654#discussioncomment-13334010 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
