10 Replies Latest reply on Dec 21, 2016 10:22 PM by Vien Hua

    SAML Single Sign-On

    Vijay Kumar

      Hi I am trying to enable SAML.

       

      1. I filled in Tableau Server URL, SAML Entity ID, .crt file and .key file

      2. Exported metadata file for configuring in ADFS

      3. AD administrator configured this this in ADFS and gave me back the .xml file for Tableau IdP

      4. But SAML did not work.

       

      One possible reason... Finally Tableau Server requires forms based authentication to serve logins via a web browser, Tableau Desktop and the Tableau Mobile app.But in our Active Directory Federation Services we are having Windows Authentication as primary. So we kept the Forms Based Authentication as secondary.

       

      Is this the reason why SAML is not working or any suggestions please...

        • 1. Re: SAML Single Sign-On
          Nathan Panuco

          Hi Vijay:

           

          Can you be more specific about how SAML didn't work? You might get more suggestions for resolving the issue with a specific error message or snips from the logs.

           

          Thanks!

          • 2. Re: SAML Single Sign-On
            Vijay Kumar

            Yes sure.. we followed all the steps as mentioned in tableau website. When

            tried testing the result after completing all steps... I got a complete

            white black page when tried entering my tableau sure url. No errors.. Just

            blank page.

            On 06-Dec-2016 11:45 pm, "Nathan Panuco" <tableaucommunity@tableau.com>

            • 3. Re: SAML Single Sign-On
              Obed Tsimi

              Hello Vijay,

               

              Are you getting the blank page when trying to access the url on mobile device or on PC?

              • 4. Re: SAML Single Sign-On
                Obed Tsimi

                I have observed an issue when from Mobile devices, where the IdP needs to be Reconfigured to return NTLM challenges.  If this is not feasible, it's possible to turn off SAML authentication for the Mobile app by setting wgserver.authentication.app_nosaml to true.

                • 5. Re: SAML Single Sign-On
                  Vijay Kumar

                  Apologies for delayed response. Getting a blank page while accessing from

                  pc and not from mobile..

                  • 6. Re: SAML Single Sign-On
                    Vijay Kumar

                    Hi friends an suggestions please.. Please let me know if you require more

                    information

                    • 7. Re: SAML Single Sign-On
                      Obed Tsimi

                      Hello Vijay,

                       

                      I cannot think of anything else. I would recommend opening a support ticket with our supoprt team so they can investigate to see what is happening.

                      Submit a case to our support team | Tableau Software

                      • 8. Re: SAML Single Sign-On
                        Obed Tsimi

                        Vijay Kumar I have an answer for you.

                        this is occurring because of a known issue with the format of the key being used, which is a Public Key File (PKCS#8).

                        Currently, Tableau Server cannot recognize the PKCS#8 format when SAML is being configured. To resolve the issue, a new key will need to be generated using the PKCS#1 format (RSA Public Key File). Once the new key is generated, a new Certificate Signing Request (CSR) must be created separately and used to create a new certificate. The new CSR and certificate must be generated, because the previous CSR and certificates will be using the old key.

                        Please note that generating the key and CSR with a single command will result in the same issue as the one currently being experience.

                        For more information on generating a key and creating a CSR, please review the following link:

                        + Generate a Key and CSR
                        http://onlinehelp.tableau.com/current/server/en-us/ssl_cert_create.htm
                        Thanks 

                        • 9. Re: SAML Single Sign-On
                          Vijay Kumar

                          As mentioned in the link, I tried to enable SSL first using internal certificate authority.

                           

                          1. Now able to access the site perfectly in https:// mode BUT without enabling SAML
                          2. Then tried enabling SAML
                            1. Given the URL with https:// à Given SAML Entity ID à Linked .crt and .key files à Exported Metadata file and given to my AD administrator
                            2. Exported this metadata file in ADFS à Added claim rules as SAM_Account_Name to Name ID and Username
                            3. Received the FederationXML file from AD administrator à Linked this to SAML IDP à Clicked on OK and started the Tableau service.
                          3. Now when I went to the Tableau URL I am getting the blank page without any kind of errors in browser. This is the issue what I have initially reported and raised a ticket with Tableau support.
                          4. One step we are not able to do is – we are not keeping the FORMS BASED AUTHENTICATION as primary in our ADFS as mentioned below. Is this one of the reason for our issue?
                            1. a. Finally Tableau Server requires forms based authentication to serve logins via a web browser, Tableau Desktop and the Tableau Mobile app. In web.config found in the C:inetpubadfsls directory modify the tag order under <localAuthenticationTypes> so that <add name=”Forms” page=”FormsSignIn.aspx” /> appears first in the list. You can customise the login form by editing FormsSignIn.aspx in the same directory.  http://www.theinformationlab.co.uk/2014/02/04/authenticating-external-tableau-server-using-internal-ad/
                          • 10. Re: SAML Single Sign-On
                            Vien Hua

                            Obed's message still applies in my opinion. Open the key file that you are using with SAML. At the top of it, does it have:

                             

                            -----BEGIN RSA PRIVATE KEY-----

                            or

                            -----BEGIN PRIVATE KEY-----

                             

                            The first one with RSA is PKCS#1 format. The second is PKCS#8 format. Currently Tableau Server's SAML configuration is handled by its own Vizportal and not by Apache. Vizportal only accepts PKCS#1 formatted key file. You can follow the commands outlined in the following article to generate the correct format:

                            Example: SSL Certificate - Generate a Key and CSR

                             

                            Then use this with SAML and restart Tableau Server.


                            Cheers,Vien