6 Replies Latest reply on Apr 10, 2018 6:12 PM by Shimpei Kodama

    SAML SSO Error with Azure AD

    Shimpei Kodama

      We are using Tableau Online with SAML authentication enabled and our idP is Azure AD.

      Since we started using Tableau Online, we are facing SSO error described in Intermittent Error "Unable to Sign In" with SAML SSO on Tableau Server | Tableau Software .

       

      And YES, logout/login from Azure AD works as workaround.

      But I'd like to know if we can configure Tableau Online / Azure AD not to cause the error.

      Does anyone have any idea about specific setting for Tableau Online/Azure AD to resolve this error?

       

      The KB says...

       

      "To prevent the error from occurring, configure Tableau Server and the IdP/AD (Identity Provider and/or Active Directory) to all have the same maximum authentication age. Tableau Server's maximum authentication age setting is wgserver.saml.maxauthenticationage and takes time in units of seconds. The highest possible setting for Tableau Server's maximum authentication age is 2073600 seconds (ie 24 days)."

       

      But I cannot find which property to configure in Azure AD, and don't know the value of "wgserver.saml.maxauthenticationage" in Tableau Online.

       

      <What I've digged>

       

      Here is our error log.

       

      2018-02-21T08:48:56.037Z |    ERROR | requestId=[K2VVW6rq7i], url=[/public/sp/SSO], status=[401], cause=[Error validating SAML message; caused by: Authentication statement is too old to be used with value 2018-01-24T12:48:38.608Z], displayableMessage=[null], exceptionClass=[null]

      2018-02-21T08:48:56.021Z |     INFO | SAML operation: AuthNResponse

      Result code: FAILURE

       

      and it seems checking AuthnInstant attribute in SAML Assertion. And the value of AuthnInstant is 28 days old.

       

      <AuthnStatement AuthnInstant="2018-01-24T12:48:38.608Z" SessionIndex="***"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement>

       

      Then, here is our OK log.

       

      2018-02-21T09:12:13.062Z |     INFO | SAML operation: AuthNResponse

      Result code: SUCCESS

       

      and the value of AuthnInstant attribute in SAML Assertion with OK log is 12 days old.

       

      <AuthnStatement AuthnInstant="2018-02-09T12:24:25.712Z" SessionIndex="***"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement>

       

      So it seems, value of "wgserver.saml.maxauthenticationage" is between 28 day and 12 day ?

      But don't know how to set limit for AuthnInstant in Azure AD.