Issue
When logging into a Tableau Server using SAML, after authentication with the Identity Provider, the Tableau Server gives an error page that says "Unable to Sign In" followed by "Invalid username or password" underneath.
Additionally, the authnresponse from the Identity Provider contains the following:
<samlp:Status><samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Responder\"><samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:RequestDenied\"/></samlp:StatusCode><samlp:StatusMessage>You are NOT authorized to access this Application.</samlp:StatusMessage><samlp:StatusDetail><Cause>org.sourceid.saml20.domain.AuthorizationException: You are NOT authorized to access this Application.</Cause></samlp:StatusDetail></samlp:Status>
Authnresponse is captured in:
- Network captures like Fiddler
- SAML trace utilities like Chrome SAML Tracer
- For Server-wide SAML, Tableau Server vizportal logs when vizportal.log.level is set to debug
- For Site-specific SAML, Tableau Server samlservice logs