9 Replies Latest reply on Aug 23, 2017 12:28 AM by Sylvain Cogné

    errorCode 16 while using SAML to log in

    ReX Admin

      I've been struggling with setting up SAML for Tableau Server for a few days now. I'm using OneLogin which has a preconfigured connector for Tableau and should work fine.

       

      When I log in I'm being forwarded to the IdP where I can enter my credentials. As I am brought back to my Tableau instance, however, I get redirected to https://[server]/#/error/saml/16. Same thing when accessing via Tableau Desktop but there the error message is a bit more helpful: "Invalid username or password. (errorCode=16)". The username attribute provided is configured to be one that is registered in Tableau.

       

      What could be the issue here? How can I actually see the SAML conversation so that I can make sure that the configuratioon is ocrrect? I've turned on DEBUG loggin but there isn't much substance in the logs:

       

      2015-04-22 14:18:20.195 +0000 (,,,) catalina-exec-1 : DEBUG com.tableausoftware.domain.user.saml.SAMLExtendedEntryPoint - Adding relay state to request, relaystate: [dest=%2F]
      2015-04-22 14:18:39.179 +0000 (,,,) catalina-exec-12 : DEBUG com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - Request is to process authentication
      2015-04-22 14:18:39.179 +0000 (,,,) catalina-exec-12 : DEBUG com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - Extracting query param with key dest value %2F
      2015-04-22 14:18:39.179 +0000 (,,,) catalina-exec-12 : DEBUG com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - Attempting authentication using SAML response from IdP
      2015-04-22 14:18:39.195 +0000 (,,,) catalina-exec-12 : DEBUG com.tableausoftware.domain.user.saml.ForwardedHttpURLPostDecoder - receiever end point URL: https://reports.reexecute.com/wg/saml/SSO/index.html
      2015-04-22 14:18:39.195 +0000 (,,,) catalina-exec-12 : ERROR com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - SAML Authentication Failed, please contact the administrator.
      org.springframework.security.authentication.AuthenticationServiceException: Error validating SAML message
        at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:92)
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
        at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)
        at com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter.doAttemptAuthentication(SAMLExtendedProcessingFilter.java:161)
        at com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter.attemptAuthentication(SAMLExtendedProcessingFilter.java:148)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:211)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
        at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2466)
        at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2455)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)
      Caused by: org.opensaml.common.SAMLException: Error validating SAML response
        at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:246)
        at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:81)
        ... 39 more
      2015-04-22 14:18:39.210 +0000 (,,,) catalina-exec-12 : DEBUG com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - SAML login failed due generic exception Error validating SAML message
      2015-04-22 14:18:39.210 +0000 (,,,) catalina-exec-12 : INFO  com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - SAML login failed, redirecting user to /#/error/saml/16
      2015-04-22 14:18:39.476 +0000 (-,-,-,VTetv8CoFAIAABwMA94AAAEy) catalina-exec-9 : INFO  com.tableausoftware.app.vizportal.LoggingInterceptor - Request received: /api/web/v1/getSessionInfo
      2015-04-22 14:18:39.476 +0000 (-,-,-,VTetv8CoFAIAABwMA90AAAFy) catalina-exec-16 : INFO  com.tableausoftware.app.vizportal.LoggingInterceptor - Request received: /api/web/v1/getServerSettingsUnauthenticated
      2015-04-22 14:18:39.476 +0000 (-,-,-,VTetv8CoFAIAABwMA90AAAFy) catalina-exec-16 : DEBUG com.tableausoftware.app.vizportal.WebClientApiController - WebClient API: Request for method 'getServerSettingsUnauthenticated' received
      ...
      
        • 1. Re: errorCode 16 while using SAML to log in
          Zeeshan Zuberi

          Hi Rex,

           

          Did you manage to resolve this?

          I'm also facing the same error when enabling SAML on Tableau server (using a trial installation of Tableau 9) and using OneLogin as the Idp.

           

          Regarding your question about SAML conversation, I use SAML tracer add-on with Firefox.

           

          I'm very keen to hear how you managed to get this fixed.

           

          Many thanks.

           

          Zeeshan.

          • 2. Re: errorCode 16 while using SAML to log in
            Pablo Caif

            Hi I had exactly the same issue.

             

            With the help of OneLogin's support I was able to solve it.

            In my case is a Tableau Server stand alone instance.

            • So I enabled SAML in the configurations.
            • Added the certs and everything
            • Exported the tableau-metadata.xml

            On OneLogin site

            • Added a new App type "Tableau Server(Signed Response)"
            • In the Configuration tab
            • I'm using https so I selected that
            • Server name just the host name
            • SAML Audience, that was the one I was missing. In your tableau-metadata.xml search for entityID and enter whatever is in there in the SAML Audience. In my case was in here <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="https://blah.com.au" entityID="https://blah.com.au">. So I entered https://blah.com.au
            • Export the OneLogin metadata in the SSO tab
            • Add and extra attribute called Username to your users so that can be sent as part of the SAML assertion.

            One thing that I also found was that I couldn't use email addresses as usernames. For some reason Tableau tries to find a user with the domain matching the email address domain part. For example for blah.foo@domain.com it tries to find a user in local/domain.com \blah.foo. So I'm using usernames in the form of foo.bar.

            • 3. Re: errorCode 16 while using SAML to log in
              Zeeshan Zuberi

              Thanks for the update Pablo. I also managed to get this fixed by timely support from our Tableau partners (The Information Lab). It seems with the existing connector for Tableau Server on OneLogin there is a required step to specify SAML entity ID with suffix of /wg/saml/SSO/index.html

               

              This is the exact instruction that helped me:

              ". SAML entity ID: Use the Tableau Server return URL and then append the follow to the URL: /wg/saml/SSO/index.html. For example: https://vhua-lap2/wg/saml/SSO/index.html - Appending the URL is specific to OneLogin and must be done."

               

              I'll send the instructions to OneLogin as well and request them to include with their connector documentation to save the trouble for anyone configuring this in future.

               

              BTW, just curious if you did anything about letting users log out of Tableau Server with SAML enabled? To me it seems there is no such option and even after logging out of OneLogin, the Tableau sessions stays active.

               

              Thanks.

               

              Zeeshan.

              1 of 1 people found this helpful
              • 4. Re: errorCode 16 while using SAML to log in
                ReX Admin

                Yes, I just managed to get this working - about the same time that Pablo's answer below was posted. I also had an initial problem with the /wg/saml/SSO/index.html missing and once that was sorted out I got the error above.

                 

                The key is Plablo's statement regarding not being able to use the email address as user ID - really a big limitation (or blatant fallacy) on Tableau's part. This must by far be the most common way to identify users...

                 

                Thanks for the kind assistance!

                • 5. Re: errorCode 16 while using SAML to log in
                  Olga Yazovskaya

                  Hi. I am having the same error. And your post in the only one about it...

                  I have tried with the xml. But no luck. Can you please give more details. What do you mean by SAML Audience?

                  Where was you "https://blah.com.au missing??

                   

                  Thanks a lot in advance

                  Olga

                  • 6. Re: errorCode 16 while using SAML to log in
                    Tod Elliott

                    i am also missing the /wg/saml/SSO/index.html   file. how did you sort that out?

                    • 7. Re: errorCode 16 while using SAML to log in
                      Sylvain Cogné

                      Hello Pablo,

                       

                      I am currently facing this issue as I am trying to configure Tableau Server site-specific SAML using OneLogin as IdP. It worked when I configured it Server_wide SAML, but as soon as I switch the Option to Site-specific SAML, I am not able to connect using my SAML users (Local users are working just fine).

                       

                      I am also getting this error message in my logs but I do not knwo what to do... Is it a problem of matching attributes ??? I have try lots of different configurations but without succes.

                       

                      2017-08-15 12:22:25.456 +0000 (,,,) catalina-exec-3 : ERROR com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - SAML Authentication Failed, please contact the administrator.

                      org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message is invalid

                      (...)

                      Caused by: org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed

                       

                      OneLogin was not able to tell me if someone was using this configuration with success: TS Site_specific SAML + OneLogin.

                       

                      Whenn I use Tableau Online, it works fine...

                       

                      Any help would be really appreciate :-)

                       

                      BR

                      Sylvain

                      • 8. Re: errorCode 16 while using SAML to log in
                        Zeeshan Zuberi

                        Hello Sylvain,

                        Though I've not configured multi-site SAML on Tableau Server yet but I wonder if you've tried testing your configuration by logging in as a user that exists only on one site and doesn't exist on other sites so is also not Tableau administrator. Also, I'm assuming that when you switched to site specific SAML you have also specified something for server-wide authentication to cover those users who don't belong to the site you're configuring for SAML or who are multi-site users.

                         

                        Thanks.

                         

                        Zeeshan.

                        1 of 1 people found this helpful
                        • 9. Re: errorCode 16 while using SAML to log in
                          Sylvain Cogné

                          Hello Zeeshan,

                           

                          Yes I have tried it like that with  SAML test users (One Publisher and one Site Admin) that are only configured on this "SAML specific" Site but Tableau cannot identify them and let them in... When I turn the Server SAML Server-Wide, then they can Login and everything works fine but that is not what I am looking for... :-(

                           

                          According to what I have read, when TS is configured site specific, then a SAML user can only be part of one Site (with his SAML authentication) and local users can be part of many sites. When you turn the Server "Server+Site SAML" then you have an IdP for the Server that allow SAML users to be part of several sites and site specific IdP that only accept unic users.

                           

                          I have also tried this third configuration Option but once agin the authentication works for the "Server" part but not for the site specific part so once again it is not what I am looking for :-(

                           

                          Our configuration needs to authenticate intern users using the Active Directory and extern users only for specific sites using external IdP (SAML). For the Moment I have only tried with OneLogin as they offer a free Trial Version and it is a quite usable solution but if you know other IdP that are better adapted... :-)

                           

                          I have asked Tableau and OneLogin but none of them are able to tell me if this configuration works and was already implemented somewhere...

                           

                          Thanks a lot for taking some time to answer.

                           

                          BR from Germany

                          Sylvain