KNOWLEDGE BASE

Logging into Tableau Server 2021.2 Fails Due to Message Signatures


Published: 17 Feb 2021
Last Modified Date: 26 Mar 2021

Issue

After upgrading to Tableau Server 2021.2 or later using SAML for user authentication, Tableau server users cannot log in and the following error will be visible in the VizPortal logs:

org.springframework.security.authentication.AuthenticationServiceException: Digest algorithm SHA-1 is blocklisted"


 

Environment

Tableau Server 2021.2 and newer versions 
 

Resolution

Before you begin, identify whether or not your Tableau Server installation is affected

From the computer running Tableau Server, run the following command:
tsm configuration get -k "wgserver.saml.blocklisted_digest_algorithms"

If Tableau Server returns "sha1", this article applies to your issue.

Ideally, use Option 1 and upgrade your IdP configuration to use SHA-256 to sign all outgoing assertions. If your IdP only supports SHA-1, use Option 2.

Option 1: Upgrade your IdP configuration to use SHA-256 or stronger to sign outgoing assertions.

Go to your IDP account and update the signing algorithms they use to sign their message. This is an IdP specific operation, so refer to your IdP's documentation for instructions.

Option 2 (Workaround): If you have already upgraded and are unable to log in to Tableau Server but cannot update your IdP

  1. Disable the new default blocklist by using the following command:
    tsm configuration set -k "wgserver.saml.blocklisted_digest_algorithms" -v ""
  2. Run tsm pending-changes apply

As soon as possible

Once you are able to update your idP to use a more secure signing algorithm, re-enable the blocklist with the following command:
tsm configuration set -k “wgserver.saml.blocklisted_digest_algorithms” -v “sha1”
and then run
tsm pending-changes apply

 

Cause

Tableau Server 2021.2 automatically blocks incoming assertions for SAML authentication that are signed with SHA1 by default. 

Additional Information

You may also experience issues with SAML configuration because of security attributes validated in certificates uploaded to Tableau. See Tableau Server Using SAML Authentication Fails to Start or Rejects Login After Upgrade to Tableau Server 2021.2

By default, Tableau Server versions 2021.2 and later will reject certificate upload with the SHA-1 signature hash or with a key strength less than RSA2048 and ECDSA256 when configuring Tableau Server for SAML authentication (both site-specific and server-wide). Tableau Server will also, by default, reject SAML assertions signed with the SHA-1 algorithm. It is important to note that there are multiple places where SHA-1 and key size validation occurs on both the Tableau and IdP side, so there are multiple places and points in time where validation is required. For example:
    • Certs signed with SHA-1 uploaded via TSM (GUI) that are used by Tableau Server to sign the request that is sent to IdP
    • Certs in the IdP metadata used to verify the AuthnResponse (signature) received from the IdP using the public key in the cert.
    • Incoming assertions signed and hashed with SHA-1 (DigestMethod set to SHA-1 and SignatureMethod set to SHA-1)
    • Incoming assertions with certs signed with SHA-1
    • Outgoing assertions hashed and signed with SHA-1 (DigestMethod set to SHA-1, SignatureMethod set to SHA-1)

Note: The tsm SAML configuration key wgserver.saml.sha256 is still a valid configuration key to ensure all outgoing requests sent by Tableau Server are signed using SHA-256. This key can be used alongside the blocklist keys in order to support a configuration where your IdP may have required to receive SHA-256 signed requests, but may be issuing assertions with SHA-1, or where Tableau Server may be configured with certificates that were signed using SHA-1. The default value for this key will now be true, so that all outgoing SAML messages will be signed with SHA-256 by default.
 
Did this article resolve the issue?