KNOWLEDGE BASE

Intermittent Error "Unable to Sign In" with SAML SSO on Tableau Server


Published: 17 Nov 2016
Last Modified Date: 08 Jun 2022

Issue

When Tableau Server has been configured for SAML authentication, users intermittently receive the following error:

Unable to Sign In
Invalid username or password
Try Again

In additional, the following message appears in the Tableau server VizPortal logs:

Authentication statement is too old to be used with value

Environment

  • Tableau Server
  • SAML authentication

Resolution

To temporarily resolve the error, sign out of the IdP and sign back in.

To prevent the error from occurring, configure Tableau Server and the IdP/AD (Identity Provider and/or Active Directory) to all have the same maximum authentication age. Tableau Server's maximum authentication age setting is wgserver.saml.maxauthenticationage and takes time in units of seconds. 

The following steps will require a Tableau Server restart.

Steps for Tableau Server for Linux or Tableau Server for Windows 2018.2 or later:
  1. Open a Linux command shell or a Windows cmd with Run As Administrator:
  2. tsm authentication saml configure -a <maximum authentication age in seconds>
  3. tsm pending-changes apply

Steps for Tableau Server for Windows 2018.1 or earlier:
  1. Open a cmd prompt with Run As Administrator.
  2. Change directory to the Tableau Server bin directory. The default location is C:\Program Files\Tableau\Tableau Server\<version>\bin.
  3. tabadmin set wgserver.saml.maxauthenticationage <maximum authentication age in seconds>
  4. tabadmin config
  5. tabadmin restart

Cause

If the IdP or AD has the setting for the maximum age of tokens set to a greater length of time than the maximum age setting on Tableau Server, whenever a token is older than Tableau Server's allowed age, the "unable to sign in, invalid username or password" error will occur because the IdP sees the token as valid while Tableau Server does not recognize the token as valid.
Did this article resolve the issue?