KNOWLEDGE BASE

SAML Authentication Fails in Multiple Domain Environment


Published: 13 Oct 2016
Last Modified Date: 04 Nov 2019

Issue

Login errors occur when users who are members of a non-default domain attempt to log into Tableau Server using SAML, although the users have valid Tableau Server accounts. 


 

Environment

  • Tableau Server
  • SAML
  • Multiple trusted AD domains

Resolution

Add information to your SAML assertion so that the 'username' attribute is passed in the "domain\username" or "username@domain.com" format.  "Domain\username" is the recommended format.

Cause

The IdP was passing only the username, not the domain. Tableau Server then automatically adds the default domain when assessing the SAML assertion, resulting in an invalid username.  


Additional Information

VizPortal debug-level logs will resemble those attached below.  


Date/Time  -AuthNResponse (...) <AttributeStatement><Attribute Name="username"><AttributeValue> [USERNAME}</AttributeValue></Attribute>

(...)

Date/Time  -SAMLResponse attributes: {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=[USERNAME], username=[USERNAME]}
Date/Time  -Considering domain null extracted from   in saml response for username [USERNAME]
Date/Time  -Using domain [DefaultDomain] extracted from username in saml response for username [USERNAME]
Date/Time  -Using fully qualified username [DefaultDomain]\[USERNAME] from saml response
Date/Time  -SAML IDP login was successful, proceeding to create session for username :
[DefaultDomain]\[USERNAME] authUserId : Optional.absent() displayName : Optional.absent() email : Optional.absent() logoutSupported : true on provided target site null

(...)

Date/Time  -Attempting SSO login for username [DefaultDomain]\[USERNAME] domain null. No specific site provided.

(...)

Date/Time  - ERROR com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - SAML Authentication Failed, please contact the administrator.
com.tableausoftware.domain.exceptions.LoginFailedException: Failed to find the system user {UserIdentity[idProvider=, domain=
[DefaultDomain], userName=[USERNAME]} (errorCode=5)



Discuss this article... Feedback Forum
Did this article resolve the issue?