SSO SAML authentication error with PingFederate

Written by ashwin

Last published at: February 25th, 2022

Problem

When using PingFederate to authenticate over a SSO connection with Databricks, the redirection fails with the following error:

  19/12/21 01:27:01 ERROR SamlAuthenticator[root=ServiceMain-6c710d1c1fca0002 parent=ServiceMain-6c710d1c1fca0002 op=HttpServer-6c710d1c1fdf2812]: SAML login failed unexpectedly
  java.lang.IllegalArgumentException: com.google.common.io.BaseEncoding$DecodingException: Unrecognized character: :
          at com.google.common.io.BaseEncoding.decode(BaseEncoding.java:248)
          at com.databricks.common.authentication.saml.SamlAuthenticator.validateRequest(SamlAuthenticator.scala:154)
          at com.databricks.common.web.WrappingAuthenticator.validateRequest(WrappingAuthenticator.scala:98)
          at com.databricks.common.web.CustomErrorAuthenticator.validateRequest(CustomErrorAuthenticator.scala:45)

Cause

This happens because PingFederate uses multiple authentication sources simultaneously, to fulfill various policy requirements depending on the user and device context.

When you are using LDAP for backend authentication, PingFederate acts as an adapter that passes along communications to the LDAP server. The SAML response is generated based on the LDAP settings, which override the PingFederate SSO settings.

Solution

In order to authenticate over SSO, your LDAP SAML issuer must be entered as the Identity Provider Entity ID in the Databricks Admin Console.

  1. Locate the LDAP SAML issuer in your PingFederate settings.
  2. Log in to the Databricks workspace.
  3. Open the Admin Console.
  4. Click the Single Sign On tab.
  5. Enter the SAML issuer information from your PingFederate settings in the Identity Provider Entity ID field.