KNOWLEDGE BASE

Intermittent Error "Unable to Sign In" with SAML SSO on Tableau Server


Published: 17 Nov 2016
Last Modified Date: 06 Oct 2017

Issue

When Tableau Server has been configured for SAML authentication, users intermittently receive the following error:

Unable to Sign In
Invalid username or password
Try Again


The VizPortal logs, when set to log at the debug level*, indicate the following:
...DEBUG org.springframework.security.saml.websso.WebSSOProfileConsumerImpl - Validation of received assertion failed, assertion will be skipped 
org.springframework.security.authentication.CredentialsExpiredException: Authentication statement is too old to be used.


*The Tableau Server VizPortal logs must be set to debug level before the error is encountered in order to log the error message shown above. For more information about logging levels, refer to Change Logging Levels

    Environment

    • Tableau Server
    • SAML authentication

    Resolution

    To temporarily resolve the error, sign out of the IdP and sign back in.

    To prevent the error from occurring, configure Tableau Server and the IdP/AD (Identity Provider and/or Active Directory) to all have the same maximum authentication age. Tableau Server's maximum authentication age setting is wgserver.saml.maxauthenticationage and takes time in units of seconds. The highest possible setting for Tableau Server's maximum authentication age is 2073600 seconds (ie 24 days).

     

    Cause

    If the IdP or AD has the setting for the maximum age of tokens set to a greater length of time than the maximum age setting on Tableau Server, whenever a token is older than Tableau Server's allowed age, the "unable to sign in, invalid username or password" error will occur because the IdP sees the token as valid while Tableau Server does not recognize the token as valid.

    Additional Information

    In many ADs and IdPs the the token maximum age default is 90 days. To prevent the above error, this setting will need to be changed to 24 days or fewer. Refer to the documentation for your AD or IdP for information on changing this setting.  
     
    Did this article resolve the issue?