KNOWLEDGE BASE

SAML Sign In Fails with OKTA as IdP


Published: 21 Mar 2016
Last Modified Date: 31 Aug 2016

Issue

After configuring OKTA SAML, users are not able to login. Additionally, the following can be found in the logs:

Caused by: org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed

and:

<time stamp> (,,,) catalina-exec-2 : DEBUG com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - SAML login failed due generic exception Incoming SAML message is invalid
<time stamp> (,,,) catalina-exec-2 : INFO  com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - SAML login failed, redirecting user to /#/error/signin/16?redirectPath=/wg/saml/logout/index.html

and:

<time stamp> (,,,) catalina-exec-2 : DEBUG org.springframework.security.saml.trust.MetadataCredentialResolver - Added 0 credentials resolved from metadata of entity http://www.okta.com/exk177go76l9YoHb11d8

Environment

  • Tableau Server
  • OKTA or SAML

Resolution

Re-export the metadata from Okta. 

 

Cause

The redirect URL in the current Tableau Server metadata was outdated. 

Additional Information

A quick test to see if the redirect is the issue is to try an SP initiated sign in. If this results in a 404 from Okta, then the redirect URL is incorrect. 
Did this article resolve the issue?