Troubleshoot SAML
This topic provides information about resolving issues that can occur when you configure SAML authentication.
SAML and Enable Automatic Logon
If you are using SAML and if Tableau Server is also configured to use Active Directory, do not also select Enable automatic logon. Enable automatic logon and SAML cannot both be used on the same server installation.
HTTP status 500 error when configuring SAML
Under some circumstances you might get an HTTP status 500 error and see the following error after enabling SAML and navigating to the Tableau Server URL in a browser:
org.opensaml.saml2.metadata.provider.MetadataProviderException: User specified binding is not supported
by the Identity Provider using profile urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser
To help resolve this error, make sure of the following:
The IdP URL for the SSO profile specified in the SAML tab is correct.
The IdP URL for the SSO profile provided while creating the service provider in the IdP is correct.
The IdP is configured to use
HTTP-POST
requests. (Redirect and SOAP are not supported.)
If any of these settings were not correct, make appropriate updates and then perform the SAML configuration steps again, starting with generating and exporting the XML metadata document from Tableau Server.
If these settings are correct, but you still see the error, examine the metadata XML that is produced by Tableau Server and by the IdP, as described in SAML Requirements.
Signing in from the command line
SAML is not used for authentication when you sign in to Tableau Server using tabcmd or the Tableau Data Extract command line utility(Link opens in a new window) (provided with Tableau Desktop), even if Tableau Server is configured to use SAML. These tools require the authentication configured when Tableau Server was originally installed (either local authentication or AD).
Login fails: Failed to find the user
Login fails with the following message:
>Login failure: Identity Provider authentication successful for user <username from IdP>. Failed to find the user in Tableau Server.
This error typically means that there is a mismatch between the usernames stored in Tableau Server and provided by the IdP. To fix this, make sure that they match. For example, if Jane Smith's username is stored in the IdP as jsmith
it must be stored in Tableau Server as jsmith
.
Login fails: SSL offloading
Login fails with the following message:
Unable to Sign In - Invalid username or password.
Additionally, the vizportal logs (set to debug
mode) contain the following message:
DEBUG com.tableau.core.util.RemoteIP - Found header null in X-FORWARDED-PROTO
Note:To log SAML-related events, vizportal.log.level
must be set to debug
. For more information, see Change Logging Levels.
This combination of messages indicates a misconfiguration of an external proxy server that is offloading SSL for the connection to Tableau Server. To resolve this issue, see the KB article, "Unable to Sign In" and "Invalid username or password" Error With SAML After Upgrading(Link opens in a new window).
SAML error log
SAML authentication takes place outside Tableau Server, so troubleshooting authentication issues can be difficult. However, login attempts are logged by Tableau Server. You can create a snapshot of log files and use them to troubleshoot problems. For more information, see Log File Snapshots (Archive Logs).
Note: To log SAML-related events, vizportal.log.level
must be set to debug
. For more information, see Change Logging Levels.
Check for SAML errors in the following files in the unzipped log file snapshot:
\vizportal\vizportal-<n>.log
The application process (vizportal.exe) handles authentication, so SAML responses are logged by that process.
Trailing slash
On the SAML tab, confirm that the Tableau Server return URL does not end with a trailing slash
Correct: http://tableau_server
Incorrect: http://tableau_server/
Confirm connectivity
Confirm that the Tableau Server you are configuring has either a route-able IP address or a NAT at the firewall that allows two-way traffic directly to the server.
You can test your connectivity by running telnet on Tableau Server and attempting to connect with the SAML IdP. For example: C:\telnet 12.360.325.10 80
The above test should connect you to the HTTP port (80) on the IdP and you should receive an HTTP header.
Multiple domains
On the SAML tab, confirm that the Tableau Server Domain attribute will detect the domain in the domain\username
format in the SAML assertion by leaving it blank.
Correct: <empty>
Incorrect: yourdomain.com