KNOWLEDGE BASE

Intermittent Error "Unable to Sign In" with SAML SSO on Tableau Server

Published: 17 Nov 2016
Last Modified Date: 21 Feb 2023

Issue

When Tableau Server has been configured for SAML authentication, users intermittently receive the following error:

Unable to Sign In
Invalid username or password
Try Again

In additional, the following message appears in the Tableau server VizPortal logs:

Authentication statement is too old to be used with value

Environment

  • Tableau Server
  • SAML authentication

Resolution

To temporarily resolve the error, sign out of the IdP and sign back in.

To prevent the error from occurring, configure Tableau Server and the IdP/AD (Identity Provider and/or Active Directory) to all have the same maximum authentication age. Tableau Server's maximum authentication age setting is wgserver.saml.maxauthenticationage and takes time in units of seconds. For versions released past February 2022 (2020.4.15+, 2021.1.12+, 2021.2.9+, 2021.3.8+, 2021.4.4+, 2022+), it is  recommended to set the maxauthenticationage to "-1" to disable the check.

The following steps will require a Tableau Server restart.

Steps for Tableau Server for Linux or Tableau Server for Windows 2018.2 or later:
  1. Open a Linux command shell or a Windows cmd with Run As Administrator:
  2. tsm authentication saml configure -a <maximum authentication age in seconds>
  3. tsm pending-changes apply

Steps for Tableau Server for Windows 2018.1 or earlier:
  1. Open a cmd prompt with Run As Administrator.
  2. Change directory to the Tableau Server bin directory. The default location is C:\Program Files\Tableau\Tableau Server\<version>\bin.
  3. tabadmin set wgserver.saml.maxauthenticationage <maximum authentication age in seconds>
  4. tabadmin config
  5. tabadmin restart

Cause

If the IdP or AD has the setting for the maximum age of IdP login tokens set to a greater length of time than the maximum age setting on Tableau Server, whenever a token is older than Tableau Server's allowed age, the "unable to sign in, invalid username or password" error will occur because the IdP sees the token as valid while Tableau Server does not recognize the token as valid.

The timestamp of the creation of the IdP login token is passed in the SAML Response in the <AuthInstant> clause.

Additional Information

The "Authentication statement is too old to be used with value" message will include the timestamp of the AuthInstant being used for comparison. This can be compared against the timestamp of when the message is logged to find the difference. The value of wgserver.saml.maxauthenticationage must be at least as long as that difference.

The maxauthage setting in seconds for Tableau Server 2018.2 and newer versions is 2100000000 or about 66 years.

From the February maintenance release of Tableau Server 2020.4.15 and higher,  the value is -1 by default.  Prior to the February maintenance release, the setting was 7200 (2 hours).

For more information, see:

 


 
Did this article resolve the issue?    
PRINT THIS PAGE
Trending Articles
Attachments


All Support

SUPPORT BY PRODUCT
TOOLS & DOWNLOADS
INFORMATION
ASSISTANCE