Problem
You experience single sign-on (SSO) failures when authenticating in Databricks through Active Directory Federation Services (AD FS). The following error message displays in the browser after login.
{ “message” : "The service at / is temporarily unavailable. Please try again later [TraceId: -]", "error_code": "TEMPORARILY_UNAVAILABLE"}
Cause
AD FS has sent a malformed SAML response, with an improperly formatted emailaddress attribute.
The emailaddress attribute in the XML format contains a newline character (\n) at the end of the email value. In the SAML XML specification, a newline character is considered a whitespace character and can break the schema, leading to incorrect attribute processing during authentication.
Solution
1. Verify your email address formatting in AD FS.
2. Remove any trailing newline or whitespace characters from the emailaddress attribute value.
3. Even if the emailaddress attribute appears correct and does not contain any visible spaces or newline characters, remove and re-add yourself to AD FS. This ensures any cached or incorrect metadata associated with your credential is cleared and updated.
The following code shows the correctly formatted emailaddress attribute without any line breaks after the email address, before the closing AttributeValue tag.
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>first.last@domain.com</AttributeValue>
</Attribute>
</AttributeStatement>
4. Validate the SAML response. Open your browser developer tools while initiating the SSO as shown below. Copy the SAMLResponse payload and decode it.
Alternatively, if you have access to a bash shell, you can decode it locally using the following command.
$ echo "<encoded_saml_response>" | tr -d '\n' | base64 -d | xmllint --format -
5. Confirm that the emailaddress attribute value is correctly formatted without any newline characters.
6. Reattempt authentication to ensure the issue is resolved.