KNOWLEDGE BASE

Server Wide Saml Login Failed After Upgrading To 2021.1.2


Published: 30 Jun 2021
Last Modified Date: 08 Jul 2021

Issue

Server-wide SAML login failed after upgraded to 2021.1.2 from 2020.3.X

 

Environment

Tableau server version 2021.1.2
Linux
Windows

Resolution

tsm configuration set -k wgserver.saml.idpattribute.username -v username
tsm pending-changes apply
 

Cause

Upgrade changed the wgserver.saml.idpattribute.username value from USERNAME to EMAIL which may not match your Tableau Server metadata for users.

 

Additional Information

com.tableausoftware.samlauthentication.model.TableauAuthenticationExceptionWrapper: Incoming SAML message has no valid value for Username attribute. Please verify ServiceProvider configuration in Identity Provider.

Debug Vizportal logs show:

2021-06-23 20:41:15.557 -0700 (-,-,-,YNP@2@ykmmNNkcE4dk9qsAAAAOQ,81116031-ca91-4210-af7d-1f26e22cd773) catalina-exec-2 auth_saml: DEBUG com.tableausoftware.samlauthentication.springsecurity.OpenSamlAuthenticationProvider - Successfully validated SAML Response [Ab8e877c9-4464-491f-a39a-c9ca8ae8c75a]
2021-06-23 20:41:15.557 -0700 (-,-,-,YNP@2@ykmmNNkcE4dk9qsAAAAOQ,81116031-ca91-4210-af7d-1f26e22cd773) catalina-exec-2 auth_saml: INFO  com.tableausoftware.samlauthentication.model.EnhancedSAMLAuthenticationProvider - Initial validation of the SAML response passed.
2021-06-23 20:41:15.557 -0700 (-,-,-,YNP@2@ykmmNNkcE4dk9qsAAAAOQ,81116031-ca91-4210-af7d-1f26e22cd773) catalina-exec-2 auth_saml: DEBUG com.tableausoftware.samlauthentication.services.ExtendedSAMLAssertionValidator - Authentication method is not specified via configuration specifying authncontexts.
2021-06-23 20:41:15.557 -0700 (-,-,-,YNP@2@ykmmNNkcE4dk9qsAAAAOQ,81116031-ca91-4210-af7d-1f26e22cd773) catalina-exec-2 auth_saml: INFO  com.tableausoftware.samlauthentication.model.EnhancedSAMLAuthenticationProvider - Extended validation of the SAML assertion passed, proceeding to identify the user.
2021-06-23 20:41:15.557 -0700 (-,-,-,YNP@2@ykmmNNkcE4dk9qsAAAAOQ,81116031-ca91-4210-af7d-1f26e22cd773) catalina-exec-2 auth_saml: DEBUG com.tableausoftware.samlauthentication.model.SAMLAssertionAttributes - Found XSString attribute: Email with value of: email@blank.com
2021-06-23 20:41:15.557 -0700 (-,-,-,YNP@2@ykmmNNkcE4dk9qsAAAAOQ,81116031-ca91-4210-af7d-1f26e22cd773) catalina-exec-2 auth_saml: DEBUG com.tableausoftware.samlauthentication.model.SAMLAssertionAttributes - Found XSString attribute: FirstName with value of: <value>
2021-06-23 20:41:15.557 -0700 (-,-,-,YNP@2@ykmmNNkcE4dk9qsAAAAOQ,81116031-ca91-4210-af7d-1f26e22cd773) catalina-exec-2 auth_saml: DEBUG com.tableausoftware.samlauthentication.model.SAMLAssertionAttributes - Found XSString attribute: LastName with value of: <value>
2021-06-23 20:41:15.557 -0700 (-,-,-,YNP@2@ykmmNNkcE4dk9qsAAAAOQ,81116031-ca91-4210-af7d-1f26e22cd773) catalina-exec-2 auth_saml: DEBUG com.tableausoftware.samlauthentication.model.SAMLAssertionAttributes - Found XSString attribute: Name with value of: <value>
2021-06-23 20:41:15.557 -0700 (-,-,-,YNP@2@ykmmNNkcE4dk9qsAAAAOQ,81116031-ca91-4210-af7d-1f26e22cd773) catalina-exec-2 auth_saml: DEBUG com.tableausoftware.samlauthentication.filters.SAMLAuthenticationProcessingFilter - Authentication request failed: com.tableausoftware.samlauthentication.model.TableauAuthenticationExceptionWrapper: Incoming SAML message has no valid value for email attribute. Please verify ServiceProvider configuration in Identity Provider.
com.tableausoftware.samlauthentication.model.TableauAuthenticationExceptionWrapper: Incoming SAML message has no valid value for email attribute. Please verify ServiceProvider configuration in Identity Provider.

Notice that there is a slight difference in the attribute that Tableau Server wants, email, and what the IDP is passing in the SAML response, Email. Verify in workgroup.yml and/or tabsvc.yml:

wgserver.saml.idpattribute.username: email

Resolution:

tsm configuration set -k wgserver.saml.idpattribute.username -v Email
Did this article resolve the issue?