Databricks SSO 身份验证失败 |谷歌 IdP

Question

我已将 Databricks SSO 2.0 配置为与 Google 作为 IdP 合作

当我尝试对其进行测试时，我收到此错误：“单点登录身份验证失败。”

跟踪 SAML 消息，一切看起来都正确：

SAML 请求：

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="ONELOGIN_956****d-44fe-**80-654e-b9ae3c8974e1"
                    Version="2.0"
                    IssueInstant="2021-10-19T12:38:10Z"
                    Destination="https://accounts.google.com/o/saml2/idp?idpid=*****sha*****"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    AssertionConsumerServiceURL="https://dbc-***990a9-*****.cloud.databricks.com/saml/consume"
                    >
    <saml:Issuer>https://dbc-****990a9-*****.cloud.databricks.com/saml/consume</saml:Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                        AllowCreate="true"
                        />
</samlp:AuthnRequest>

SAML 响应：

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                 Destination="https://dbc-*****990a9-*****.cloud.databricks.com/saml/consume"
                 ID="_d32****e5002e8760******d431c69"
                 InResponseTo="ONELOGIN_95*****2d-44fe-****-942e-b9ae3***9e1"
                 IssueInstant="2021-10-19T12:38:21.957Z"
                 Version="2.0"
                 >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=****sha*****</saml2:Issuer>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                     ID="_cb5ee***08cb7***********bd194"
                     IssueInstant="2021-10-19T12:38:21.957Z"
                     Version="2.0"
                     >
        <saml2:Issuer>https://accounts.google.com/o/saml2?idpid=****sha*****</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <ds:Reference URI="#_cb5ee92*******0652**2145*******4">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <ds:DigestValue>i45E******dCx*********zXr7AC2RX38=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>PeQTj**********************E8O46BoalK+7sblRLA5hCk/xuGRADeuGyGERwdEDdeY5tJK
uDhr+W4oML75eDYMSwYW6ZcDyFXFmQucia7HLD0pI************************************************iYZr8opwuzFkzOnnwulgTwlk9
137uW2/abZFV2M***************==</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>
                    <ds:X509Certificate>*****************IBAgIGAVr9E/j7MA0GCSqGSIb3DQEBCwU***********************************qQIDAQABMA0GCSqGSIb3DQEBCwUA
A4IBAQBSOUJWpyF3PEpiFHednZqU9U8yJ+fakv9CZrx0tvuAKLKfD7f8cZpH4FORCVg82stN3mOd
BlZ+3PyVr/tGz4Lf1vbXULC256HvmKBFI8jc/N*******************************</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">danilo.ca*****@********.com</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData InResponseTo="ONELOGIN_95*****2d-44fe-****-942e-b9ae3***9e1"
                                               NotOnOrAfter="2021-10-19T12:43:21.957Z"
                                               Recipient="https://dbc-*******990a9-******.cloud.databricks.com/saml/consume"
                                               />
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2021-10-19T12:33:21.957Z"
                          NotOnOrAfter="2021-10-19T12:43:21.957Z"
                          >
            <saml2:AudienceRestriction>
                <saml2:Audience>https://dbc-*******990a9-******.cloud.databricks.com/saml/consume</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2021-10-19T12:38:21.000Z"
                              SessionIndex="_**ee**********7c40*****cddbbd194"
                              >
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
    </saml2:Assertion>
</saml2p:Response>

SAML 中的所有信息看起来都是正确的，我的电子邮件、谷歌 ID、databricks 网址仍然失败。

Answer 1

这是 Google 工作区 SSO 的文档：

v1：https://docs.databricks.com/administration-guide/users-groups/single-sign-on/gsuite.html v2：https://docs.databricks.com/administration-guide/users-groups/single-sign-on/gsuite20.html

疑难解答文档：

https://docs.databricks.com/administration-guide/users-groups/single-sign-on/index.html#troubleshooting

如果您使用的是 Google Workspace（以前称为 GSuite）单点登录 (SSO v2.0)。

仔细检查第 7 步：(Required) Select Signed response.。响应也必须签名。

Answer 2

解决办法是把签名的响应标记到签名会在断言标签之前

   <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                 Destination="https://*************.cloud.databricks.com/saml/consume"
                 ID="******************d3952e02"
                 InResponseTo="ONELOGIN_bc2cb9***************7-bb86-0***********fc4"
                 IssueInstant="2021-10-28T12:48:45.663Z"
                 Version="2.0"
                 >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=************</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#_****************46dd50562**************52e02">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>***********2kA0VqohW***************OeeTyCnKuvVlGI=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>*****************************JmIrnaHPRjm87OXyqnvOhNBjKD24BfBxnodbUmx9IeWKT4mBS13huje99DBl9S9
USPnKD3zwb1htVBWbT1TxSeD6EUZbl8**********************************3ODow==</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>
                <ds:X509Certificate>MIIDd**************************************UgwwH4Y/yQZx</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>