4 Replies Latest reply on Jul 20, 2018 8:59 AM by Carisa Chang

    How to implement SSO on Tableau Server + Linux + PingFed

    Vamshi Krishna P

      Hi Folks,

       

      Need an urgent in implementing SSO (SAML) on Tableau Server which is installed on a Linux server. We use PingFed.

      I went through below documentation  and got few questions, could you please answer them

       

      This is the template we need to apply on Server for implementing SAML

       

      { "configEntities": { "samlSettings": { "_type": "samlSettingsType", "enabled": true, "returnUrl": "required", "entityId": "required", "certFile": "required", "keyFile": "required", "idpMetadataFile": "required", "idpDomainAttribute": "", "idpUsernameAttribute": "required" } } }

       

      SO in this template

       

      1) How to generate idpMetadataFile?

      2) What is certFile and from where I can get the required certificate?

      3) what is this keyFile and how to get that?

       

      Thanks and Regards

      Vamshi Pulumati

        • 1. Re: How to implement SSO on Tableau Server + Linux + PingFed
          Carisa Chang

          Hi Vamshi,

           

          1. The idpMetadata file is generated by your IdP, in this case PingFederate
          2. The certFile is the SSL certificate that you or your IT team will generate for Tableau Server
          3. The keyFile is the key used when generating the SSL certificate mentioned above, again created by you or your IT team

           

          I suggest reading this section of the Tableau Server Online Help which covers SAML requirements in detail, and answer these and many other questions you are likely to have while configuring SAML:

          SAML Requirements

          • 2. Re: How to implement SSO on Tableau Server + Linux + PingFed
            Vamshi Krishna P

            Thanks for your reply Carisa.

             

            But we are not implementing SSL for tableau, so is it still required to generate SSL certificate and apply it for implementing SSO?

             

            One more Question:

             

            Is it possible to implement both LDAP and SSO on Tableau server?

            • 3. Re: How to implement SSO on Tableau Server + Linux + PingFed
              Vamshi Krishna P

              Hi Guys,

               

              We have a metadata file, proper certificate file, and Key files. But after implementing the sso we are getting the invalid username or Password error. In the logs I can see below error.

               

              Can someone please help me to solve this issue.

               

              2018-07-19 07:13:52.063 -0700 (,,,,) catalina-exec-2 : INFO  org.springframework.security.saml.log.SAMLDefaultLogger - AuthNResponse;FAILURE;10.XXX.XXX.XXX;http://<>;;;org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Requester, status message is Invalid signature

                      at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113)

                      at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)

                      at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)

                      at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87)

               

               

              2018-07-19 07:13:52.065 -0700 (,,,,) catalina-exec-2 : ERROR com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - SAML Authentication Failed, please contact the administrator.

              • org.springframework.security.authentication.AuthenticationServiceException: Error validating SAML message

                      at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:95)

                      at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)

                      at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthenticat

               

              Caused by: org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Requester, status message is Invalid signature

                      at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113)

                      at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)

                      ... 42 more

               

               

               

              Thanks and Regards
              Vamshi Pulumati

              • 4. Re: How to implement SSO on Tableau Server + Linux + PingFed
                Carisa Chang

                Hi Vamshi,

                 

                This usually means the certificate used to sign the response your IdP is sending to Tableau Server is not the same certificate that is in the metadata file. Tableau Server verifies these certificates match in order to be certain the response is valid. Tableau Tech Support can assist with troubleshooting further from the logs, but I would start by comparing the certificate in the response with the certificate in the IdP metadata file.

                 

                In order to capture the IdP assertions, you'll need to use a packet trace program, like Fiddler - or a browser plugin, like Firefox's SAMLTracer:

                 

                SAML-tracer – Add-ons for Firefox