Failed To Sign Assertion When Attempting Sap Hana Saml

Published: 10 Jan 2019
Last Modified Date: 08 Jul 2022


The user is prompted for credential upon trying to use a data source published even though SAML/SSO is configured for SAP HANA data source.
Certificate and key are set in the proper format.
'vizqlserver_node#-#.log' file shows the following lines:

2018-12-27 17:46:10.294 +0000 (SiteName,Username,-,HTTPDid) catalina-exec-21 : INFO  wgsessionId=SomeWgSessionId com.tableausoftware.model.workgroup.util.SAMLUtils - Failed to sign assertion
2018-12-27 17:46:10.294 +0000 (SiteName,Username,-,HTTPDid) catalina-exec-21 : INFO  wgsessionId=SomeWgSessionId  com.tableausoftware.domain.keychain.SAMLImpersonationCredentialHelper - Failed to generate signed saml assertion

Even if the VizQLServer logs are set to debug mode, no SAML assertion will be shown.


  • Tableau Server


In some high-security settings, permissions on the certificate and key file must be set to allow full access by all users.  These permissions need to be set before running the command:
tsm data-access set-saml-delegation configure --cert-key "c:\Program Files\Tableau\Tableau Server\SAML\saml_key.der" --cert-file "c:\Program Files\Tableau\Tableau Server\SAML\saml_cert.crt"

After the above command is run, the permissions can be set back to whatever is desired, or the cert and key can be completely removed from the system.  When running the above command, Tableau Server copies these files to a different location in the \data\ directory, and distributes them to all nodes in the cluster.  The original key/cert files are no longer needed.


Tableau Server fails copying the content of these files, but it erroneously treats it as successfully done.   

Additional Information

The location that the certificate and key files are copied to is specified in the following parameter:
tsm configuration get -k wgserver.sap_hana_sso.saml.keys.dir

Which will default to: C:/ProgramData/Tableau/Tableau Server/data/tabsvc/config/tabadmincontroller_0.<version>/files
On Windows, and on Linux: /var/opt/tableau/tableau_server/data/tabsvc/config/tabadmincontroller_0.<version>/files

The certificate and key file names are specified in:
tsm configuration get -k
tsm configuration get -k

Which default to hana_cert.pem and hana_pkey_pkcs8.der.


Did this article resolve the issue?