KNOWLEDGE BASE

Error: "The sign-in was unsuccessful" and "Response has invalid status code" When Attempting to Login to Tableau Cloud using ADFS SAML


Published: 06 Oct 2017
Last Modified Date: 08 Jun 2022

Issue

When attempting to login to Tableau Cloud or Tableau Server using SAML with AD FS, the following error occurs: 

The sign-in was unsuccessful. Try again. 

The below error is also displayed in the tableau_authentication log (found under Step 7 when configuring SAML on Tableau Cloud). 

Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null 

Environment

  • Tableau Cloud
  • Tableau Server
  • SAML
  • AD FS as IdP

Resolution

Try the below options, in the following order, to resolve the issue:

Option 1

  1. Configure an additional AD FS relying party identifier.
  2. In AD FS Management, in the Relying Party Trusts list, right-click on the relying party you created for Tableau Cloud, and click Properties
  3. On the Identifiers tab, in the Relying party identifier box, enter https://sso.online.tableau.com/public/sp/metadata and then click Add.
  4. Select Apply and OK, then attempt to login. 

Option 2

  1. Turn off AD FS assertion encryption for the relying party. Note that Tableau Cloud does not currently support assertion encryption.
  2. On the AD FS server, use Windows PowerShell to run the following command, replacing <MyRelyingPartyName> in the example command below to the name of the ADFS relying party display name:
Set-ADFSRelyingPartyTrust -TargetName <MyRelyingPartyName> -EncryptClaims 0
  • Note: If you receive the error "Set-ADFSRelyingPartyTrust Cmdlet cannot be found", you must add the AD FS PowerShell snap-in. At the command prompt type the below, and repeat this step. 
Add-PSSnapin Microsoft.Adfs.PowerShell

Option 3

  1. Remove any unsupported binding types (HTTP-Redirect, HTTP-SOAP, etc) from the IdP metadata.
  2. Re-import the metadata.xml to Tableau Cloud. (See SAML Requirements for Tableau Cloud for supporting information)

Option 4

  1. The following error occurs in the AD FS logs: "ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier'"
  2. Follow steps 1-3 on Configure SAML with AD FS to correct a mismatch in certificates on the IdP and Tableau Cloud. 

Option 5

Contact your IdP provider for assistance with an investigation as to why the SAML response is throwing a Responder status instead of Success, as they are the best resource for determining what about the exchange they are not configured to accept.

 

Cause

The IdP is not properly configured to send a valid authentication response. 

Additional Information

Since Responder is an error StatusCode on the AD FS side, please refer to Microsoft article Element <StatusCode> and AD FS Troubleshooting - Events and Logging to check the AD FS administrator log and trace log for further details.
If the issue can be resolved by disabling Revocation Check on the AD FS side, the cause may relate to Certificates. For more information see AD FS Troubleshooting - Certificates

Note: While we make every effort to keep references to third-party content accurate, the information provided might change without notice. 



Discuss this article... Feedback Forum
Did this article resolve the issue?