KNOWLEDGE BASE

SAML Authentication Fails in Multiple Domain Environment


Published: 13 Oct 2016
Last Modified Date: 21 Oct 2016

Issue

Login errors occur when users who are members of a non-default domain attempt to log into Tableau Server using SAML, although the users have valid Tableau Server accounts. 


 

Environment

  • Tableau Server
  • SAML
  • Multiple trusted AD domains

Resolution

Add information to your SAML assertion so that the 'username' attribute is passed in the "domain\username" or "username@domain.com" format.  "Domain\username" is the recommended format.

Cause

The IdP was passing only the username, not the domain. Tableau Server then automatically adds the default domain when assessing the SAML assertion, resulting in an invalid username.  


Additional Information

VizPortal debug-level logs will resemble those attached below.  


Date/Time  -AuthNResponse (...) <AttributeStatement><Attribute Name="username"><AttributeValue> [USERNAME}</AttributeValue></Attribute>

(...)

Date/Time  -SAMLResponse attributes: {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=[USERNAME], username=[USERNAME]}
Date/Time  -Considering domain null extracted from   in saml response for username [USERNAME]
Date/Time  -Using domain [DefaultDomain] extracted from username in saml response for username [USERNAME]
Date/Time  -Using fully qualified username [DefaultDomain]\[USERNAME] from saml response
Date/Time  -SAML IDP login was successful, proceeding to create session for username :
[DefaultDomain]\[USERNAME] authUserId : Optional.absent() displayName : Optional.absent() email : Optional.absent() logoutSupported : true on provided target site null

(...)

Date/Time  -Attempting SSO login for username [DefaultDomain]\[USERNAME] domain null. No specific site provided.

(...)

Date/Time  - ERROR com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - SAML Authentication Failed, please contact the administrator.
com.tableausoftware.domain.exceptions.LoginFailedException: Failed to find the system user {UserIdentity[idProvider=, domain=
[DefaultDomain], userName=[USERNAME]} (errorCode=5)
Did this article resolve the issue?