0

I have enabled AWS private link to access snowflake and there is no Issue with the Link, when Integrating with SSO using Jumpcloud, after login it just throws 400 Error

For Troubleshhot I have tried but they didn't work

  1. https://support.snowflake.net/s/article/Error-400-Bad-Request-while-SSO-login-to-Snowflake
  2. https://community.snowflake.com/s/article/Configuring-your-IDP-to-Snowflake-by-providing-required-properties-in-a-SAML-Response

This is JumpCloud SSO Setting

Jump Cloud Config

Here is complete SAML Response, but still getting 400 Error any Idea from snowflake troubleshooting will help to resolve this Issue 

<?xml version="1.0" encoding="UTF-8"?>
    <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                     Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                     Destination="https://8GWIFI.ORG.SG.AP-SOUTHEAST-1.AWS.PRIVATELINK.snowflakecomputing.com/fed/login/"
                     ID="AUZZ04QP5VMGW46F5YJZROMK164PY2C1QQ6XNXJJ"
                     InResponseTo="id-6417485141254017599_-1"
                     IssueInstant="2020-05-13T07:59:21.927Z"
                     Version="2.0">
      <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                    Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://8gwifi.org</saml2:Issuer>
      <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></saml2p:Status>
      <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                       ID="OVOSTV678D3AU2SQM6PSUDG2YHNSQMN4HJR9SGI2"
                       IssueInstant="2020-05-13T07:59:21.927Z"
                       Version="2.0">
        <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://8gwifi.org</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#OVOSTV678D3AU2SQM6PSUDG2YHNSQMN4HJR9SGI2">
              <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms>
              <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
              <ds:DigestValue>nxftTo6YnJGZR+qhRSJlPoMuNMMFwoxftmNAX/YDQaI=</ds:DigestValue>
            </ds:Reference>
          </ds:SignedInfo>
          <ds:SignatureValue>
    cvamdwGY/8VZ+n4gDoLoEt+z6fZCLmPuvv/u4qeYOZd/fMg28Jz7kt2FU27WDHbOkx21LEFJ/g2Mlt8X++MP8hhHNqqb8x42YZzyHTv4dmfz3xapSQ17iDJILlfsc2odr5xPjkScz+wNPxCTUsA8kCrfeTfnGJOyn7t6uq7zMh87uUmlIob04CYbV/1SZpD2Xz6Jij9UsBiP82QSbTWAs4gePDcnS0TKe0HGfkNYxhCQBlIR40tBrte4KRpxuoXo00aMXXR0f0qilfU2nvYWeZVnQFBLfFOKZmlKxuhRUyiEYr9iVTjI8uxLt9oJ/XFFC5cuZjRl1FlKExGwouGbcpHUt7Gx9XeCPlVD3z9bi33X4Hi8mwbD6uX0lcgcJQ82RbppIya+7Q0bTzSh5nCKAu+vIlTXNKlHnwM5ax7HNxfDJedcLgEpaJ0qntnH67TyjFQg/NPOb54wtjkOi9/qxnI/ND2EMnWP4O6jMlmwknLLEuW2iqgF9wBN0mM4EfmgniaUjixWVvr0aT2sFNcC7BalUkdBJWXCN6PYabm2exye4zYb2C9FyiDjzrsLYuctXCU19js1vhukIftYMG13ds+ZSL6enseFSHKqI1EYNWOogmGkgZJWOeH7BL5Xgeq5HhBn8teUvGc519p7J/2LkoGfEyJ4K0SPyTLoC1R5poA=
    </ds:SignatureValue>
          <ds:KeyInfo>
            <ds:X509Data>
              <ds:X509Certificate>
    M=........
    .................
    </ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject>
          <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">anish2good@yahoo.co.in</saml2:NameID>
          <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData InResponseTo="id-6417485141254017599_-1"
                                           NotOnOrAfter="2020-05-13T08:04:21.927Z"
                                           Recipient="https://8GWIFI.ORG.SG.AP-SOUTHEAST-1.AWS.PRIVATELINK.snowflakecomputing.com/fed/login/" /></saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2020-05-13T07:54:21.927Z"
                          NotOnOrAfter="2020-05-13T08:04:21.927Z">
          <saml2:AudienceRestriction>
            <saml2:Audience>https://8GWIFI.ORG.SG.AP-SOUTHEAST-1.AWS.PRIVATELINK.snowflakecomputing.com/fed/login/</saml2:Audience>
          </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2020-05-13T07:59:21.927Z"
                              SessionIndex="ed8df976-6c7d-458e-ad23-1657133d3a00">
          <saml2:AuthnContext>
            <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
          </saml2:AuthnContext>
        </saml2:AuthnStatement>
      </saml2:Assertion>
    </saml2p:Response>
anish
  • 6,884
  • 13
  • 74
  • 140

1 Answers1

0

To get SSO to work with PrivateLink, you need to contact support. By default you can configure SSO only on Public URL or Private URL. You cannot have SSO configured for both the URls. Also SSO by default is enabled on the Public URL. You can check this out by using the Public URL in the JumpBox configuration and confirm if this works. So if this works and you want to have SSO over Private URL, contact support and they will enable the SSO for the PrivateLink.

Anshul Thakur
  • 484
  • 2
  • 5
  • Thanks but this doesn't help , the private link is already setup and I can login without SSO, only with SSO it doesn't work – anish May 15 '20 at 06:59