Intermittent Error "Unable to Sign In" with SAML SSO on Tableau Server

Published: 17 Nov 2016
Last Modified Date: 11 Sep 2018


When Tableau Server has been configured for SAML authentication, users intermittently receive the following error:

Unable to Sign In
Invalid username or password
Try Again

The VizPortal logs, when set to log at the debug level*, indicate the following:

...DEBUG - Validation of received assertion failed, assertion will be skipped Authentication statement is too old to be used.

*The Tableau Server VizPortal logs must be set to debug level before the error is encountered in order to log the error message shown above. For more information about logging levels, refer to Change Logging Levels


    • Tableau Server
    • SAML authentication


    To temporarily resolve the error, sign out of the IdP and sign back in.

    To prevent the error from occurring, configure Tableau Server and the IdP/AD (Identity Provider and/or Active Directory) to all have the same maximum authentication age. Tableau Server's maximum authentication age setting is wgserver.saml.maxauthenticationage and takes time in units of seconds. The highest possible setting for Tableau Server's maximum authentication age is 2073600 seconds (i.e. 24 days).

    UPDATE:  More recent versions of Tableau Server allow wgserver.saml.maxauthenticationage to be set to a maximum setting of 90 days, or 7776000 seconds.


    If the IdP or AD has the setting for the maximum age of tokens set to a greater length of time than the maximum age setting on Tableau Server, whenever a token is older than Tableau Server's allowed age, the "unable to sign in, invalid username or password" error will occur because the IdP sees the token as valid while Tableau Server does not recognize the token as valid.

    Additional Information

    In many ADs and IdPs the the token maximum age default is 90 days. To prevent the above error, this setting will need to be changed to 24 days or fewer. Refer to the documentation for your AD or IdP for information on changing this setting.  
    Did this article resolve the issue?