KNOWLEDGE BASE

ADFS Fails to Redirect to Tableau Server After Accepting Credentials for SAML Authentication


Published: 18 Jul 2014
Last Modified Date: 22 Nov 2018

Issue

When logging in to Tableau Server configured for SAML authentication, ADFS will accept login credentials, and then fail to redirect to Tableau Server.  The following error may appear in the log:
 
INFO  org.springframework.security.saml.log.SAMLDefaultLogger - AuthNResponse;FAILURE;::1org.opensaml.common.SAMLException: Received response has invalid status code

Environment

  • Tableau Server
  • SAML
  • ADFS

Resolution

Follow these steps to modify the SAML encryption to match the encryption type between ADFS and Tableau Server:

Tableau server versions 2018.1 and earlier:

  1. Verify that ADFS is configured to use SHA-1 or SHA-256 as its hashing algorithm.
  2. Run the following command to verify the SAML encryption type on Tableau Server.
    	tabadmin get wgserver.saml.sha256
  3. If running the above command returns "true" then Tableau Server is using SHA-256. If running the above command returns "false" then Tableau Server is using SHA-1; note the default value is "false."
    • Run this command if ADFS is configured to use SHA-1:
       tabadmin set wgserver.saml.sha256 false
    • Run this command if ADFS is configured to use SHA-256.
      tabadmin set wgserver.saml.sha256 true
  4. Run the following command to update configuration:
    tabadmin config
    tabadmin restart
  5. At this point you should be able to log in.

Tableau server version 2018.2 and later:

  1. Verify that ADFS is configured to use SHA-1 or SHA-256 as its hashing algorithm.
  2. Run the following command to verify the SAML encryption type on Tableau Server.
    	tsm configuration get -k wgserver.saml.sha256
  3. If running the above command returns "true" then Tableau Server is using SHA-256. If running the above command returns "false" then Tableau Server is using SHA-1; note the default value is "false."
    • Run this command if ADFS is configured to use SHA-1:
      tsm configuration set -k wgserver.saml.sha256 -v false
    • Run this command if ADFS is configured to use SHA-256.
      tsm configuration set -k wgserver.saml.sha256 -v true
  4. Run the following command to update configuration:
    tsm pending-changes apply
  5. At this point you should be able to log in.
 

 

Cause

The encryption type for SAML, between ADFS and Tableau Server, is mismatched. 

Additional Information

ADFS on Windows Server 2012 uses SHA-256 by default. 
Did this article resolve the issue?