KNOWLEDGE BASE

Failed To Sign Assertion When Attempting Sap Hana Saml


Published: 10 Jan 2019
Last Modified Date: 15 Feb 2021

Issue

The user is prompted for credential upon trying to use a data source published even though SAML/SSO is configured for SAP HANA data source.
Certificate and key are set in the proper format.
'vizqlserver_node#-#.log' file shows the following lines:

2018-12-27 17:46:10.294 +0000 (SiteName,Username,-,HTTPDid) catalina-exec-21 : INFO  wgsessionId=SomeWgSessionId com.tableausoftware.model.workgroup.util.SAMLUtils - Failed to sign assertion
2018-12-27 17:46:10.294 +0000 (SiteName,Username,-,HTTPDid) catalina-exec-21 : INFO  wgsessionId=SomeWgSessionId  com.tableausoftware.domain.keychain.SAMLImpersonationCredentialHelper - Failed to generate signed saml assertion


Even if the VizQLServer logs are set to debug mode, no SAML assertion will be shown.

Environment

  • Tableau Server
  • SAP HANA SAML 

Resolution

In some high-security settings, permissions on the certificate and key file must be set to allow full access by all users.  These permissions need to be set before running the command:
 
tsm data-access set-saml-delegation configure --cert-key "c:\Program Files\Tableau\Tableau Server\SAML\saml_key.der" --cert-file "c:\Program Files\Tableau\Tableau Server\SAML\saml_cert.crt"

After the above command is run, the permissions can be set back to whatever is desired, or the cert and key can be completely removed from the system.  When running the above command, Tableau Server copies these files to a different location in the \data\ directory, and distributes them to all nodes in the cluster.  The original key/cert files are no longer needed.
 

Cause

Tableau Server fails copying the content of these files, but it erroneously treats it as successfully done.   
 

Additional Information

The location that the certificate and key files are copied to is specified in the following parameter:
tsm configuration get -k wgserver.sap_hana_sso.saml.keys.dir

Which will default to: C:/ProgramData/Tableau/Tableau Server/data/tabsvc/config/vizqlserver_0.<version>/files

The certificate and key file names are specified in:
tsm configuration get -k wgserver.sap_hana_sso.saml.cert.file.name
tsm configuration get -k wgserver.sap_hana_sso.saml.key.file.name

Which default to hana_cert.pem and hana_pkey_pkcs8.der.
Did this article resolve the issue?