我已将 Databricks SSO 2.0 配置为与 Google 作为 IdP 配合使用
当我尝试测试它时,我收到此错误:“单点登录身份验证失败。”
跟踪 SAML 消息,一切看起来都正确:
SAML 请求:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ONELOGIN_956****d-44fe-**80-654e-b9ae3c8974e1"
Version="2.0"
IssueInstant="2021-10-19T12:38:10Z"
Destination="https://accounts.google.com/o/saml2/idp?idpid=*****sha*****"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://dbc-***990a9-*****.cloud.databricks.com/saml/consume"
>
<saml:Issuer>https://dbc-****990a9-*****.cloud.databricks.com/saml/consume</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
AllowCreate="true"
/>
</samlp:AuthnRequest>
SAML 响应:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://dbc-*****990a9-*****.cloud.databricks.com/saml/consume"
ID="_d32****e5002e8760******d431c69"
InResponseTo="ONELOGIN_95*****2d-44fe-****-942e-b9ae3***9e1"
IssueInstant="2021-10-19T12:38:21.957Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=****sha*****</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_cb5ee***08cb7***********bd194"
IssueInstant="2021-10-19T12:38:21.957Z"
Version="2.0"
>
<saml2:Issuer>https://accounts.google.com/o/saml2?idpid=****sha*****</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_cb5ee92*******0652**2145*******4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>i45E******dCx*********zXr7AC2RX38=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>PeQTj**********************E8O46BoalK+7sblRLA5hCk/xuGRADeuGyGERwdEDdeY5tJK
uDhr+W4oML75eDYMSwYW6ZcDyFXFmQucia7HLD0pI************************************************iYZr8opwuzFkzOnnwulgTwlk9
137uW2/abZFV2M***************==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>
<ds:X509Certificate>*****************IBAgIGAVr9E/j7MA0GCSqGSIb3DQEBCwU***********************************qQIDAQABMA0GCSqGSIb3DQEBCwUA
A4IBAQBSOUJWpyF3PEpiFHednZqU9U8yJ+fakv9CZrx0tvuAKLKfD7f8cZpH4FORCVg82stN3mOd
BlZ+3PyVr/tGz4Lf1vbXULC256HvmKBFI8jc/N*******************************</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">danilo.ca*****@********.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="ONELOGIN_95*****2d-44fe-****-942e-b9ae3***9e1"
NotOnOrAfter="2021-10-19T12:43:21.957Z"
Recipient="https://dbc-*******990a9-******.cloud.databricks.com/saml/consume"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2021-10-19T12:33:21.957Z"
NotOnOrAfter="2021-10-19T12:43:21.957Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>https://dbc-*******990a9-******.cloud.databricks.com/saml/consume</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2021-10-19T12:38:21.000Z"
SessionIndex="_**ee**********7c40*****cddbbd194"
>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
SAML 中的所有信息看起来都是正确的,我的电子邮件、Google ID、databricks url,但仍然失败。
最佳答案
这是 Google Workspace SSO 的文档:
v1:https://docs.databricks.com/administration-guide/users-groups/single-sign-on/gsuite.html v2:https://docs.databricks.com/administration-guide/users-groups/single-sign-on/gsuite20.html
疑难解答文档:
如果您使用的是 Google Workspace(以前称为 GSuite)单点登录 (SSO v2.0)。
仔细检查第 7 步:(必需)选择“签名响应”。
。回复还必须签名。
关于single-sign-on - Databricks SSO 身份验证失败 |谷歌国内流离失所者,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/69631314/