A colleague is testing Tableau on a server in the cloud, and has asaked me to set up SSO using Microsoft ADFS 2.0. I've followed the instructions at http://www.theinformationlab.co.uk/2014/02/04/authenticating-external-tableau-server-using-internal-ad/. ADFS 2.0 doesn't support the "username" claim type, but we've changed the claim to "windowsaccountname" as documented. We now have a problem in that Tableau is getting a claim with a value from ADFS, but won't accept it. We've turned on debug logging and this is what we see in the Tableau log:
2015-01-23 15:14:28.723 +0000 catalina-exec-2 Default DEBUG : com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - SAMLResponse [Attribute http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname has value abc123 ]
2015-01-23 15:14:28.723 +0000 catalina-exec-2 Default ERROR : com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - SAML Authentication Failed, please contact the administrator.
org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message has no valid value for windowsaccountname attribute. Please verify ServiceProvider configuration in Identity Provider.
I wondered about time skew, so we increased the skew allowance to 30 minutes, but that's made no difference.
One possibility that has occurred is that our ADFS servers use Integrated Windows Authentication, whereas the article I referred to says Forms is required by Tableau. However, all external access (which is what we are testing) goes through our ADFS proxies, and they do Forms authentication anyway.
Has anyone seen this problem before, or have any idea what to look for?
University of Wolverhampton
I found this Knowledge Base article but it sounds like you may already know the info in it:
Have you made any progress?