Intermittent "Invalid username or password" Error Logging Into Multi-Node Tableau Server Using SAML

Published: 27 Feb 2018
Last Modified Date: 11 Oct 2019


After a change to the IdP or to the Tableau Server that requires new IdP metadata to be imported, you may get an intermittent "Invalid username or password" error when logging into Tableau Server using SAML.

Investigation in to the VizPortal logs will show that SAML responses from the IdP that are handled by the Primary node are successful, but responses that are handled by the Worker nodes all fail. You will see errors similar to the following: - Signature verification failed. - Validation of received assertion failed, assertion will be skipped
org.opensaml.xml.validation.ValidationException: Signature is not trusted or invalid

Note: Error messages will vary depending on which part of the metadata has a mismatch.


  • Tableau Server 
  • SAML


Copy the new metadata from the IdP to all Worker nodes that host a VizPortal process. 
The IdP metadata must be in the same absolute path on the Workers that it is on the Primary. 
For example, if the metadata .XML file on the Primary is stored at C:\Program Files\Tableau\Tableau Server\SAML\, then the IdP metadata file on the Worker nodes must be at C:\Program Files\Tableau\Tableau Server\SAML\.  This path is literal, not referenced in relation to the Worker software install path.
If changes were made to the SAML key/cert combination, they also must be transferred to all Workers that host a VizPortal process, in the exact same literal path as the Primary node.


VizPortal uses the IdP metadata file to verify the signature on the incoming assertion.  The changes to the metadata have changed the signature, so if VizPortal is using the old metadata, it will read the signature as invalid. 

Additional Information

The error which occurs may differ, if the signature information in the new metadata is the same but some other information is different.

