SAML SSO for Tableau Server Fails when Server and Client Times are Off by More Than 5 Minutes

Issue

After configuring SAML authentication for Tableau Server or Tableau Cloud, a login information window is repeatedly prompted for login information. Additionally, the following error might occur:

Unable to Sign In; Invalid username or password.

Additionally, the Site SAML troubleshooting log file SAML logs contains the following error:

ERROR | correlationId=[ID], url=[/public/sp/SSO], status=[401], cause=[Error validating SAML message; caused by: Response issue time is either too old or with date in the future, skew 60

Environment

Tableau Cloud
Tableau Server 10
Site SAML

Resolution

Option 1

Verify that the time between the server(s) and client(s) are within 5 minutes, and that the default maxAuthenticationAge time is set correctly.

Option 2

If the times are in synchronization, add a time skew of 60 seconds on the IdP's relying party configuration.

Cause

By default, SAML authentication is set to reject any assertion older than 5 minutes. The default setting can be changed, however it is best to make sure that the client and server times synchronize properly. Most organizations employ an automatic time service or Network Time Protocol to synchronize all the computers in their domain but sometimes those services fail or are simply not in use.

Additional Information

To gather the site SAML log:

Sign in to Tableau Server or Tableau Cloud as an administrator or site administrator.
Select Settings.
Select Authentication.
Scroll to the bottom, under section 7) "Troubleshooting single sign-on (SS)" select Download log file.