6 Replies Latest reply on Feb 15, 2018 6:47 AM by Sylvain Cogné

    SAML Authentication with a custom IdP

    Darcy Smith

      Hi all,

       

      I have spent a few days attempting to integration the Authentication process in our Development Tableau instance with our in-house product - using SAML as the authentication protocol.

       

      I have had some successes (being new to SAML as well), but I have hit a major blocker that I am not sure where to go next with. I have followed the online documentation for setting up a Tableau instance for "Site-specific SAML authentication only" and have chosen a non-default site as the test bed for this.

       

      On the IdP side, I have created a custom .NET MVC application to "act" as the IdP to act as a proof of concept. This IdP receives the AuthnRequest from Tableau, gives out metadata on a specific Url, and has the Login page with hard coded values of a valid Username and Password. This username correlates to a Username that exists in the Tableau instance.

       

      1) On attempting to log in to Tableau with a SAML user, I get redirected to my IdP. Am able to read the AuthnRequest (although I'm not validating much at the moment)

      2) On sucecsfful Authentication, user is directed to a page to perform Http POST of Saml Response

      3) Post to Tableau results in "Unable to Sign in. Invalid Username or password" error message

       

      On closer inspection of the Tableau SAML log files, I can see the following entry:

       

      2017-06-28 09:45:22.882 +0100 (,,,) catalina-exec-2 : DEBUG com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - Request is to process authentication

      2017-06-28 09:45:22.882 +0100 (,,,) catalina-exec-2 : DEBUG com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - Attempting authentication using SAML response from IdP

      2017-06-28 09:45:22.882 +0100 (,,,) catalina-exec-2 : DEBUG org.springframework.security.saml.SAMLProcessingFilter - Attempting SAML2 authentication using profile urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser

      2017-06-28 09:45:22.885 +0100 (,,,) catalina-exec-2 : DEBUG org.springframework.security.saml.processor.SAMLProcessorImpl - Retrieving message using binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

      2017-06-28 09:45:22.887 +0100 (,,,) catalina-exec-2 : DEBUG com.tableausoftware.domain.user.saml.ForwardedHttpURLPostDecoder - receiever end point URL: http://development.analytics.fft.local/wg/saml/SSO/index.html

      2017-06-28 09:45:22.887 +0100 (,,,) catalina-exec-2 : ERROR com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - SAML Authentication Failed, please contact the administrator.

      org.springframework.security.authentication.AuthenticationServiceException: Error determining metadata contracts

      at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:89)

      at com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter.doAttemptAuthentication(SAMLExtendedProcessingFilter.java:187)

      at com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter.attemptAuthentication(SAMLExtendedProcessingFilter.java:171)

      at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:211)

      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

      at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)

      at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)

      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

      at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)

      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

      at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)

      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

      at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)

      at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)

      at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)

      at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

      at com.tableausoftware.core.controller.RelativeRedirectFilter.doFilter(RelativeRedirectFilter.java:62)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

      at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)

      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)

      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)

      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)

      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)

      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:452)

      at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)

      at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)

      at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2536)

      at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2525)

      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

      at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

      at java.lang.Thread.run(Thread.java:745)

      Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: Metadata for issuer https://sso.fftaspire.org/home/metadata wasn't found

      at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:108)

      at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)

      at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:77)

      ... 40 more

      2017-06-28 09:45:22.888 +0100 (,,,) catalina-exec-2 : DEBUG com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - SAML login failed due generic exception Error determining metadata contracts

      2017-06-28 09:45:22.888 +0100 (,,,) catalina-exec-2 : INFO  com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - SAML login failed, redirecting user to /#/error/signin/16?redirectPath=/wg/saml/logout/index.html%3Fretry%3Dtrue%26CompactSAMLCredential%3D

       

      This seems to point that the metadata is unavailable at the specific URL https://sso.fftaspire.org/home/metadata but I can confirm that the Tableau server has access to this Url and is able to download the metadata file.

       

      I have attached the un-encoded SAML Response, as well as the IdP metadata that is being POSTed. I am blocked now as I have tried everything I now to get this to work. It may be a simple SAML configuration / XML error in one of these files, or maybe some configuraiton preventing me from continuing.

       

      Any help would be greatly appreciated.

       

      Cheers

      Darcy

        • 1. Re: SAML Authentication with a custom IdP
          Toby Erkson

          The only idea by me is to try Tableau Support.

          • 2. Re: SAML Authentication with a custom IdP
            Sylvain Cogné

            Hello Darcy,

             

            it is not going to help you a lot but I think I am facing Kind of the same issue while configuring TS site-specific SAML with OneLogin as IdP.

             

            When I configure it Server-wide SAML, it works and I can Login with my SAML test users. When I switch to site specific SAML configuration with exactly the same IdP config, I can't get into the Server with my SAML users when local users are working fine.

             

            Logs Analyse give me the following result :

             

            2017-08-15 12:22:25.456 +0000 (,,,) catalina-exec-3 : ERROR com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - SAML Authentication Failed, please contact the administrator.

            org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message is invalid

            at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:93)

            at com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter.doAttemptAuthentication(SAMLExtendedProcessingFilter.java:187)

            at com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter.attemptAuthentication(SAMLExtendedProcessingFilter.java:171)

            at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:211)

            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

            at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)

            at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)

            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

            at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)

            at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

            at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)

            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

            at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)

            at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)

            at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)

            at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

            at com.tableausoftware.core.controller.RelativeRedirectFilter.doFilter(RelativeRedirectFilter.java:62)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

            at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)

            at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)

            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)

            at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)

            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)

            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)

            at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)

            at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)

            at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2549)

            at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2538)

            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

            at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

            at java.lang.Thread.run(Thread.java:748)

            Caused by: org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed

            at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:138)

            at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:107)

            at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51)

            at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132)

            at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83)

            at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)

            at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)

            at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)

            at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:77)

            ... 40 more

            2017-08-15 12:22:25.456 +0000 (,,,) catalina-exec-3 : DEBUG com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - SAML login failed due generic exception Incoming SAML message is invalid

            2017-08-15 12:22:25.456 +0000 (,,,) catalina-exec-3 : INFO  com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - SAML login failed, redirecting user to /#/error/signin/16?redirectPath=/wg/saml/logout/index.html%3Fretry%3Dtrue%26CompactSAMLCredential%3D

             

             

            I have tried lots of different configurations but without any succes for the moment. I thougt it could be linked to the matching attributs but I despite lots of tests, I can't make it work...

             

            It is perhaps too Basic but have you tried this : Error "SAML Authentication Failed, please contact the administrator" After Upgrading | Tableau Software ?

             

            Good luck for your config and if you get any success, please get me posted :-)

             

            BR

            Sylvain

            • 3. Re: SAML Authentication with a custom IdP
              martijn.schreurs.0

              Hi Sylvain, I'm faced with the exact same error - trying to configure OneLogin on a Site. Did you ever find a solution or fix to this issue?

              • 4. Re: SAML Authentication with a custom IdP
                Sylvain Cogné

                Hi Martijn,

                 

                actually, we could not find a solution to this issue and as we were testing it with the free Version of one Login, we could not benefit from the Support... We talked about it with Tableau during the conference in Vegas and it was definitively a Problem of configuration of the IdP but without the help of the Identity Provider, I  think this is difficult to solve...

                 

                When configuring Tableau : SAML for the complete Server, it works fine but as soon as you Switch to site specific...

                 

                Do you have the free Version or Enterprise package from OneLogin?

                 

                BR

                Sylvain

                • 5. Re: SAML Authentication with a custom IdP
                  martijn.schreurs.0

                  Thanks so much for your fast response Sylvain.

                   

                  I'm also using the free version, just wanted to set up a small proof-of-concept for our client so they could see the exact behaviour. Did you try with Okta or any other of the free IDP's out there?


                  Thanks again,
                  Martijn

                  • 6. Re: SAML Authentication with a custom IdP
                    Sylvain Cogné

                    Same Thing for me: it was only for a POC for one of our Client so I only tested it with this free Version. I did not tried with anyother one but one of my colleague has already configured it with their own IdP (self programmed solution) and it worked...So I guess the solution has to be found directly with the IDP and I would be good to have one that Support this Site specific configuration !!! :-)

                     

                    I will test it again as I am currently trying to configure SAML on a Linux Installation... I will let you know if I find something that works.

                     

                    BR

                    Sylvain