3 Replies Latest reply on Feb 26, 2018 9:35 AM by Carisa Chang

    Error with SAML Logout

    shrikant.patil.2

      Hello All,

      I have setup a test server to check on Premise ADFS SAML integration. Users notified about an intermittent generic error page they are see from ADFS after logging out of Tableau server and trying to access it right after they get error. I am no expert with ADFS here but I found few lines in the SP and IDP metadata which doesnt look right. Its the SingleLogoutService section which I feel is not configured correctly. Thee HTTP-POST location in SP metadata is different from the one specified in IDP metadata. The ADFS team told us they share the same metadata with other applications and nothing will be different from application to application. Can someone provide some insight here.

       

       

      Part of Tableau SP Metadata sent to ADFS team:

       

      <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://on-premTableau.com/wg/saml/SingleLogout/index.html"/>

              <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>

              <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>

              <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>

              <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>

              <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>

              <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://on-premTableau.com/wg/saml/SSO/index.html" index="0" isDefault="true"/>

       

      Part of IDP Metadata received from ADFS team and Imported using Tableau Server Configuration Utility:

       

      </KeyDescriptor>

      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://ADFS.com/adfs/ls/"/>

      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ADFS.com/adfs/ls/"/>

      <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>

      <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>

      <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>

      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ADFS.com/adfs/ls/" index="0" isDefault="true"/>

      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://ADFS.com/adfs/ls/" index="1"/>

      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://ADFS.com/adfs/ls/" index="2"/>

        • 1. Re: Error with SAML Logout
          Carisa Chang

          Hi there!

           

          The logout binding should be different here The SP metadata should have Tableau Server's logout endpoint, and the IdP metadata should have ADFS's logout endpoint. I'm assuming you changed the domains in the examples above for data privacy reasons - and they are your actual domains in the files?

           

          You'll want to work with your ADFS admin to capture a packet trace of a user seeing the ADFS error - so they can tell you why a user would end up on that page. If it is something that Tableau Server is sending that ADFS doesn't recognize - opening a case with Tableau Tech Support would be the next best step, so they can tell you whether you can adjust settings on Tableau Server to send what ADFS is expecting.

           

          If you have a screenshot of the page that you can share, it might be something we've seen before.

          • 2. Re: Error with SAML Logout
            shrikant.patil.2

            •• PROTECTED 関係者外秘

            Hi Carisa,

            Thanks for your response! Yes I changes the Tableau & ADFS urls in the post. Attaching error page screenshot. Error description is very generic. I have also F12 Net XML to support team to see if they could find anything. The event trace on ADFS side says “Exception triggers error page: Exception: MSIS7065: There are no registered protocol handlers on path /adfs/ls/ to process the incoming request.”, don’t have much details from ADFS side either. I have narrowed it down to observation that the logout error only appears when I have another ADFS session open in another tab. e.g. When I open IE browser the first tab by default opens our organization’s internal portal which is ADFS integrated as well. Not if I open Tableau url in another portal and then try to sign out then I am getting error.

             

            Thanks,

            Shrikant Patil

            469-292-7009

            • 3. Re: Error with SAML Logout
              Carisa Chang

              Ah, okay, that helps!

               

              With that error message, it means there is nothing listening on the ADFS side when Tableau Server sends a logout request. You'll want to keep working with the ADFS team to narrow down the cause - if they have any questions about what Tableau Server is sending, please open a case with Tableau Technical Support. Tableau Support won't be able to tell you how to fix the ADFS setting, but they can show you in a packet trace that the request is leaving Tableau Server successfully, if that is something the ADFS Support engineer needs to see