Skip navigation

Allow to set a value larger than 24 days (2073600 sec) as maxAuthenticationAge on Tableau Server

score 17
You have not voted. Released

Background

We are facing <http://kb.tableau.com/articles/issue/intermittent-error-unable-to-sign-in-with-saml-sso-on-tableau-server> in SAML authentication with Azure AD.

 

In KB, it is written that the resolution for this issue is to configure IdP and Tableau server have same maximum authentication age.

And the highest possible setting for Tableau Server's maximum authentication age is 2073600 seconds (ie 24 days).

 

But on Azure AD I think there is no way to configure maximum authentication age, and its max value is more than 24 days.

This means we cannot permanently resolve this issue when we configure SAML with Azure AD.

 

Request

Please make it possible to set a value largerthan 24 days (2073600 sec) as maxAuthenticationAge on Tableau Server for Linux.

Hopefully larger than 90 days.

 

Additional Information

I believe Tableau Server for Linux using spring-security-saml module fo SAML authentication implementation and its version is 1.0.0.RC2.

And I believe if you update this module's version above 1.0.1.RELEASE, we become able to set a value larger than 2073600 to maxAuthenticationAge attribute.

 

* Commit on spring-security-saml modlue which allow to set large value to maxAuthenticationAge.

https://github.com/spring-projects/spring-security-saml/commit/1a74cc48d0c5b04071431830e5e56ea55250f9e2

 

* Our log when error happens

2018-02-27 13:26:34.252 +0000 (,,,,) catalina-exec-3 : DEBUG org.springframework.security.saml.websso.WebSSOProfileConsumerImpl - Authentication statement is too old to be used with value 2018-02-27T12:56:41.566Z

2018-02-27 13:26:34.252 +0000 (,,,,) catalina-exec-3 : DEBUG org.springframework.security.saml.websso.WebSSOProfileConsumerImpl - Validation of received assertion failed, assertion will be skipped

org.springframework.security.authentication.CredentialsExpiredException: Authentication statement is too old to be used

at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAuthenticationStatement(WebSSOProfileConsumerImpl.java:526)

at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:304)

atorg.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:204)\

...

 

* Vizportal saml module seems version 1.0.0.RC2

/var/opt/tableau/tableau_server/data/tabsvc/vizportal/0/work/Catalina/localhost/vizportal/WEB-INF/lib/spring-security-saml2-core-1.0.0.RC2.jar

Comments

Vote history