KNOWLEDGE BASE

Error: "The sign-in was unsuccessful" and "Response has invalid status code" When Attempting to Login to Tableau Online using ADFS SAML


Published: 06 Oct 2017
Last Modified Date: 04 Dec 2018

Issue

When attempting to login to Tableau Online using SAML with AD FS, the following error occurs: 

The sign-in was unsuccessful. Try again. 

The below error also displays in the tableau_authentication log (found under Step 7 when configuring SAML on Tableau Online). 

Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null 

Environment

  • Tableau Online
  • SAML
  • AD FS as IdP

Resolution

Try the below options, in the following order, to resolve the issue:

Option 1
  1. Remove any unsupported binding types (HTTP-Redirect, HTTP-SOAP, etc) from the IdP metadata.
  2. Re-import the metadata.xml to Tableau Online. (See SAML Requirements for Tableau Online for supporting information)

Option 2
  1. Turn off AD FS assertion encryption for the relying party. Note that Tableau Online does not currently support assertion encryption.
  2. On the AD FS server, use Windows PowerShell to run the following command, replacing <MyRelyingPartyName> in the example command below to the name of the ADFS relying party display name:
Set-ADFSRelyingPartyTrust -TargetName <MyRelyingPartyName> -EncryptClaims 0
  • Note: If you receive the error "Set-ADFSRelyingPartyTrust Cmdlet cannot be found", you must add the AD FS PowerShell snap-in. At the command prompt type the below, and repeat this step. 
Add-PSSnapin Microsoft.Adfs.PowerShell

Option 3 
  1. The following error occurs in the AD FS logs: "ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier'"
  2. Follow steps 1-3 on Configure SAML with AD FS to correct a mismatch in certificates on the IdP and Tableau Online. 

Option 4
Contact your IdP provider for assistance with investigation as to why the SAML response is throwing a Responder status instead of Success, as they are the best resource for determining what about the exchange they are not configured to accept.

Cause

The IdP is not properly configured to send a valid authentication response to Tableau Online. 

Additional Information

Please refer to this Microsoft article for additional information.

Note: While we make every effort to keep references to third-party content accurate, the information provided might change without notice. 

Did this article resolve the issue?