1 Reply Latest reply on Feb 10, 2015 2:56 PM by diego.medrano

    Configuring ADFS 2.0 for SSO to Tableau

    Max Caines



      A colleague is testing Tableau on a server in the cloud, and has asaked me to set up SSO using Microsoft ADFS 2.0. I've followed the instructions at http://www.theinformationlab.co.uk/2014/02/04/authenticating-external-tableau-server-using-internal-ad/. ADFS 2.0 doesn't support the "username" claim type, but we've changed the claim to "windowsaccountname" as documented. We now have a problem in that Tableau is getting a claim with a value from ADFS, but won't accept it. We've turned on debug logging and this is what we see in the Tableau log:


      2015-01-23 15:14:28.723 +0000 catalina-exec-2 Default  DEBUG : com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - SAMLResponse [Attribute http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname has value abc123 ]

      2015-01-23 15:14:28.723 +0000 catalina-exec-2 Default  ERROR : com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - SAML Authentication Failed, please contact the administrator.

      org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message has no valid value for windowsaccountname attribute. Please verify ServiceProvider configuration in Identity Provider.


      I wondered about time skew, so we increased the skew allowance to 30 minutes, but that's made no difference.


      One possibility that has occurred is that our ADFS servers use Integrated Windows Authentication, whereas the article I referred to says Forms is required by Tableau. However, all external access (which is what we are testing) goes through our ADFS proxies, and they do Forms authentication anyway.


      Has anyone seen this problem before, or have any idea what to look for?




      Max Caines

      University of Wolverhampton