11 Replies Latest reply on Nov 16, 2016 6:12 PM by Thomas Cook

    SAML Authentication Failed and not working

    Siva Kora

      Could someone help me in getting SAML setup with IdP.

       

      We are setting up SAML Authentication for a Tableau in our company and we are using IdP. We have got the metadata file, .crt, .key and kept in the same folder by creating SAML inside the tableau folder. When we keep the SAML configured, it is not working and its not communicating with the IdP server. Does the user id needs to be created in the IdP server or can we keep the default user id which Tableau creates while installation works or do we need to rename the user id and create the same in the IdP Server? Please some one help with real-time examples if you have faced this issue

        • 1. Re: SAML Authentication Failed and not working
          Vien Hua

          Hello Siva,

           

          The user must exist in both the IdP and Tableau Server and their usernames must match. What error message are you getting when you try to implement SAML? Login error?

           

          Vien

          1 of 1 people found this helpful
          • 2. Re: SAML Authentication Failed and not working
            Siva Kora

            Hi Hua,

            Thanks for the information. After entering all the .crt, .key and metadata file, we are not able to see the tableau server coming up. Even it is not connecting to IdP server.

            • 3. Re: SAML Authentication Failed and not working
              Vien Hua

              So you are not able to start Tableau Server after adding the .crt and .key files? Can you post any screenshot of any error messages?

               

              If anything, create log files and then send it to the Tableau support team: Creating Tableau Server Log Files | Tableau Software

              • 4. Re: SAML Authentication Failed and not working
                Siva Kora

                As soon as I get into the office tomorrow, I will send the logs. Thanks for the quick turnaround.

                • 5. Re: SAML Authentication Failed and not working
                  Siva Kora

                  Hua,

                  Please find some of the logs which I see:

                   

                  10.x.x.x - - [05/Mar/2015:17:24:32 -0500] 80 "GET /views HTTP/1.1" "10.x.x.x " 404 - "-" 36831128 VPjXoAqQMnAAAC6YYXwAAAHx

                   

                  10.x.x.x - - [05/Mar/2015:17:23:48 -0500] 80 "GET /views HTTP/1.1" "10.x.x.x " 404 - "-" 80011375 VPjXdAqQMnAAAC6YYXoAAAHz

                   

                  10.x.x.x - - [05/Mar/2015:17:25:15 -0500] 80 "GET /views HTTP/1.1" "10.x.x.x " 404 - "-" 15599 VPjXywqQMnAAAC6YYX0AAAHx

                   

                  10.x.x.x - - [05/Mar/2015:17:25:25 -0500] 80 "GET / HTTP/1.1" "10.x.x.x" 404 - "-" 15599 VPjX1QqQMnAAAC6YYX4AAAHx

                   

                  10.x.x.x - - [05/Mar/2015:17:32:55 -0500] 80 "GET /views HTTP/1.1" "10.x.x.x " 404 - "-" 57486000 VPjZlwqQMnAAADtU9GQAAAHy

                   

                  10.x.x.x - - [05/Mar/2015:17:32:46 -0500] 80 "GET / HTTP/1.1" "10.x.x.x " 404 - "-" 66424800 VPjZjgqQMnAAADtU9GMAAAHz

                   

                  10.x.x.x - - [05/Mar/2015:17:33:06 -0500] 80 "GET /views HTTP/1.1" "10.x.x.x " 404 - "-" 46456800 VPjZogqQMnAAADtU9GUAAAHx

                   

                  10.x.x.x - - [05/Mar/2015:17:38:40 -0500] 80 "GET / HTTP/1.1" "10.x.x.x " 404 - "-" 5000 VPja8AqQMnAAADtU9GYAAAHx

                  10.x.x.x - - [05/Mar/2015:17:38:55 -0500] 80 "GET /views HTTP/1.1" "10.x.x.x " 404 - "-" 5000 VPja-wqQMnAAADtU9GcAAAHx

                   

                  But when we revert back to initial settings, we can see the server up and running with logging to web url.

                  • 6. Re: SAML Authentication Failed and not working
                    Vien Hua

                    Hi Siva,

                     

                    Unfortunately this snippet of log lines doesn't give much information... although a 404 not found may indicate that Tableau Server is not able to find wherever the IdP is.

                     

                    I would send a screenshot of the SAML configuration dialog window and full server log files to Tableau technical support (support@tableau.com).

                    • 7. Re: SAML Authentication Failed and not working
                      Siva Kora

                      Hua,

                      We will reach out to tableau in couple of days. Meanwhile could you please point out any issue from the below logs:

                       

                      Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.web.DefaultSecurityFilterChain#0': Cannot resolve reference to bean 'samlFilter' while setting constructor argument with key [1]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'samlFilter' defined in URL [file:/D:/SCM/Tableau/Tableau%20Server/data/tabsvc/config/wgserver/samlSecurityContext.xml]: Cannot resolve reference to bean 'samlEntryPoint' while setting bean property 'filterChainMap' with key [Root bean: class [org.springframework.security.web.util.AntPathRequestMatcher]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null] with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'samlEntryPoint': Injection of autowired dependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException: Could not autowire method: public void org.springframework.security.saml.SAMLEntryPoint.setWebSSOprofile(org.springframework.security.saml.websso.WebSSOProfile); nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'webSSOprofile': Injection of autowired dependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException: Could not autowire method: public void org.springframework.security.saml.websso.AbstractProfileBase.setMetadata(org.springframework.security.saml.metadata.MetadataManager); nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'metadata': Injection of autowired dependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException: Could not autowire method: public void org.springframework.security.saml.metadata.MetadataManager.setKeyManager(org.springframework.security.saml.key.KeyManager); nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'keyManager' defined in URL [file:/D:/SCM/Tableau/Tableau%20Server/data/tabsvc/config/wgserver/samlSecurityContext.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [com.tableausoftware.domain.user.saml.TabKeyManager]: Constructor threw exception; nested exception is java.security.KeyStoreException: Cannot store non-PrivateKeys

                      at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:328)

                      at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:106)

                      at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveManagedList(BeanDefinitionValueResolver.java:353)

                      at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:153)

                      at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:616)

                      at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:148)

                      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1035)

                      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:939)

                      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:485)

                      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)

                      at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294)

                      at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225)

                      at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291)

                      at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193)

                      at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:322)

                      ... 26 more

                      Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.web.DefaultSecurityFilterChain#0': Cannot resolve reference to bean 'samlFilter' while setting constructor argument with key [1]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'samlFilter' defined in URL [file:/D:/Tableau/Tableau%20Server/data/tabsvc/config/wgserver/samlSecurityContext.xml]: Cannot resolve reference to bean 'samlEntryPoint' while setting bean property 'filterChainMap' with key [Root bean: class [org.springframework.security.web.util.AntPathRequestMatcher]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null] with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'samlEntryPoint': Injection of autowired dependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException: Could not autowire method: public void org.springframework.security.saml.SAMLEntryPoint.setWebSSOprofile(org.springframework.security.saml.websso.WebSSOProfile); nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'webSSOprofile': Injection of autowired dependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException: Could not autowire method: public void org.springframework.security.saml.websso.AbstractProfileBase.setMetadata(org.springframework.security.saml.metadata.MetadataManager); nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'metadata': Injection of autowired dependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException: Could not autowire method: public void org.springframework.security.saml.metadata.MetadataManager.setKeyManager(org.springframework.security.saml.key.KeyManager); nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'keyManager' defined in URL [file:/D:/SCM/Tableau/Tableau%20Server/data/tabsvc/config/wgserver/samlSecurityContext.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [com.tableausoftware.domain.user.saml.TabKeyManager]: Constructor threw exception; nested exception is java.security.KeyStoreException: Cannot store non-PrivateKeys
                      at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:328)
                      at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:106)
                      at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveManagedList(BeanDefinitionValueResolver.java:353)
                      at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:153)
                      at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:616)
                      at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:148)
                      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1035)
                      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:939)
                      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:485)
                      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
                      at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294)
                      at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225)
                      at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291)
                      at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193)
                      at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:322)
                      ... 26 more

                      • 8. Re: SAML Authentication Failed and not working
                        Vien Hua

                        Hi Siva,

                         

                        When I'm looking at log files, especially for SAML, I would ask that people enable debug logs first:

                         

                        tabadmin set wgserver.log.level debug

                         

                        Then reproduce the issue, and then send the entire Tableau Server log files. You can create the log files by running "tabadmin ziplogs".

                         

                        The snippet of logs that you sent above isn't too helpful without the rest of it. Again, the quickest way to resolve this is to send is to our support team.

                         

                        Thanks!

                        • 9. Re: SAML Authentication Failed and not working
                          Siva Kora

                          Hua,

                          We have sent the log files to support yesterday evening and waiting for their response. Thanks!!

                          • 10. Re: SAML Authentication Failed and not working

                            Siva,

                            Perhaps this video of common issues may help.

                            https://www.youtube.com/watch?v=ScSg0Tr5mTs

                             

                            The fact that you are seeing "java.security.KeyStoreException: Cannot store non-PrivateKeys" makes me wonder if you added a non-private key in the configuration where you specify the key.  This key should be the private key. If you put in the public key, you could get this error. If it's not that, you should have support explore deeper on what maybe causing your specific problem.


                            At a minimum, you should ensure you IdP supports the following:

                            1. HTTP Post Binding

                            2. SP Initiated SAML Auth

                            3. Forms based authentication between IdP and Client (Browser or Tableau Desktop).


                            Good luck!

                             


                            1 of 1 people found this helpful
                            • 11. Re: SAML Authentication Failed and not working
                              Thomas Cook

                              Did you ever get this fixed? if so what was the issue. We are testing using saml and get the same blank screen and error in the log file.

                               

                              Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.tableausoftware.domain.user.saml.TabKeyManager]: Constructor threw exception; nested exception is java.lang.RuntimeException: java.security.KeyStoreException: Cannot store non-PrivateKeys