This topic provides information about resolving issues that can occur when you configure SAML authentication.
SAML and Enable Automatic Logon
If you are using SAML and if Tableau Server is also configured to use Active Directory, do not also select Enable automatic logon. Enable automatic logon and SAML cannot both be used on the same server installation.
HTTP Status 500 error when configuring SAML
Under some circumstances you might get an HTTP status 500 error and see the following error after enabling SAML and navigating to the Tableau Server URL in a browser:
org.opensaml.saml2.metadata.provider.MetadataProviderException: User specified binding is not supported
by the Identity Provider using profile urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser
To help resolve this error, make sure of the following:
The IdP URL for the SSO profile specified in the SAML tab is correct.
The IdP URL for the SSO profile provided while creating the service provider in the IdP is correct.
The IdP is configured to use
HTTP-POSTrequests. (Redirect and SOAP are not supported.)
If any of these settings were not correct, make appropriate updates and then perform the SAML configuration steps again, starting with generating and exporting the XML metadata document from Tableau Server.
If these settings are correct, but you still see the error, examine the metadata XML that is produced by Tableau Server and by the IdP, as described in SAML Requirements.
Signing In from the Command Line
SAML is not used for authentication when you sign in to Tableau Server using tabcmd or the Tableau Data Extract command line utility (provided with Tableau Desktop), even if Tableau Server is configured to use SAML. These tools require the authentication configured when Tableau Server was originally installed (either local authentication or AD).
Login can fail with the following message:
>Login failure: Identity Provider authentication successful for user <username from IdP>. Failed to find the user in Tableau Server.
This error typically means that there is a mismatch between the usernames stored in Tableau Server and provided by the IdP. To fix this, make sure that they match. For example, if Jane Smith's username is stored in the IdP as
jsmith it must be stored in Tableau Server as
SAML Error Log
SAML authentication takes place outside Tableau Server, so troubleshooting authentication issues can be difficult. However, login attempts are logged by Tableau Server. You can create a snapshot of log files and use them to troubleshoot problems. For more information, see Log File Snapshots (Archive Logs).
Note:To log SAML-related events,
vizportal.log.level must be set to
debug. For more information, see Change Logging Levels.
Check for SAML errors in the following files in the unzipped log file snapshot:
In Tableau Server 9.0 and later, the application process (vizportal.exe) handles authentication, so SAML responses are logged by that process.
On the SAML tab, confirm that the Tableau Server return URL does not end with a trailing slash
Confirm that the Tableau Server you are configuring has either a routeable IP address or a NAT at the firewall that allows two-way traffic directly to the server.
You can test your connectivity by running telnet on Tableau Server and attempting to connect with the SAML IdP. For example:
C:\telnet 12.360.325.10 80
The above test should connect you to the HTTP port (80) on the IdP and you should receive an HTTP header.