1 Reply Latest reply on Aug 15, 2017 6:13 AM by Sylvain Cogné

    SAML site specific authentication is not working

    Sylvain Cogné

      Hello Tableau Community,

       

      I am currently working on the configuration of a Tableau Server. The authentication needs to be configured using the site specific SAML authentication as we would like to have "internal" and "external" users working on the same Server.

       

      I am using OneLogin as IdP and I have installed Tableau Server Beta 10.4 on an Microsoft Azur Server as we do not have our licence number for the moment. I have used the following article to configure my Connection to Tableau Server using OneLogin :

       

      https://www.interworks.com/de/blog/tkau/2016/03/30/how-configure-tableau-server-saml-onelogin-idp

       

      When I configure the authentication SAML Server-wide, it works and I am able to connect to the Server using my SAML test users. But as soon as I switch  to a site specific SAML authentication, my SAML users are not able to connect anymore with following the error message : "username or Password is not correct".

       

      I use the same configuration that is working Server -wide and so I know that there is no typos error (I have checked several times...). My IdP Metadata are the same for the two configurations.

       

      Analysing the logs, I can see that the authentication is working in the IdP, but something must be wrong in the communication between the IdP and Tableau Server so that Tableau does not grant me the access.

       

      I have also tryed several configuration in the linked parameters but without any success for the moment.

       

      When I configure the Server authentication SAML Server+Site, then I am able to access the Server using my SAML test users but not with local admin users...

       

      I have no ideas where to look and in which Tableau logs (in debug Modus?) I could find the Information.

       

      Any tipps or Ideas would be very welcome.

       

      Thanks a lot in advance.

       

      BR

      Sylvain

        • 1. Re: SAML site specific authentication is not working
          Sylvain Cogné

          I have the following message when analysing the logs :

           

          2017-08-15 12:22:25.456 +0000 (,,,) catalina-exec-3 : ERROR com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - SAML Authentication Failed, please contact the administrator.

          org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message is invalid

          at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:93)

          at com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter.doAttemptAuthentication(SAMLExtendedProcessingFilter.java:187)

          at com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter.attemptAuthentication(SAMLExtendedProcessingFilter.java:171)

          at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:211)

          at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

          at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)

          at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)

          at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

          at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)

          at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

          at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

          at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)

          at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

          at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)

          at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)

          at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)

          at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)

          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

          at com.tableausoftware.core.controller.RelativeRedirectFilter.doFilter(RelativeRedirectFilter.java:62)

          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

          at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)

          at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)

          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)

          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)

          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)

          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)

          at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)

          at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)

          at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2549)

          at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2538)

          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

          at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

          at java.lang.Thread.run(Thread.java:748)

          Caused by: org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed

          at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:138)

          at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:107)

          at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51)

          at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132)

          at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83)

          at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)

          at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)

          at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)

          at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:77)

          ... 40 more

          2017-08-15 12:22:25.456 +0000 (,,,) catalina-exec-3 : DEBUG com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - SAML login failed due generic exception Incoming SAML message is invalid

           

          but I cannot figure out what I can do and how to Impact on this signature...

           

          Any Ideas ???

           

          Thank you in advance

          Sylvain

          1 of 1 people found this helpful