KNOWLEDGE BASE

SAML Login Failed With Error "Invalid username or password" And SAML Error "Relying Party Registration not found" Displays In The Vizportal Logs


Published: 21 May 2021
Last Modified Date: 21 May 2021

Issue

SAML authentication fails with the error message "Invalid username or password". And SAML error "Relying Party Registration not found" displays in the vizportal-<n>.log.

Example of errors:

  • In Web Browser:

Unable to Sign In
Invalid username or password

 

  • In vizportal-<n>.log:

// ziplogs\node1\vizportal_0.20204.21.0217.12032796448277247282360\logs\vizportal_node1-0.log.2021-04-06
2021-04-06 17:30:41.689 +0900 (-,-,-,YGwcMcSejrfeFts3UbUqBQAAAAU,62006ec2-59b4-4f06-8e36-2d696be10884) catalina-exec-5 auth_saml: INFO  com.tableausoftware.samlauthentication.handlers.SAMLAuthenticationFailureHandler - SAML Authentication Failed, the SAML Response from the IdP was not valid: [relying_party_registration_not_found] Relying Party Registration not found Relying Party Registration not found.
2021-04-06 17:30:41.689 +0900 (-,-,-,YGwcMcSejrfeFts3UbUqBQAAAAU,62006ec2-59b4-4f06-8e36-2d696be10884) catalina-exec-5 auth_saml: INFO  com.tableausoftware.samlauthentication.handlers.SAMLAuthenticationFailureHandler - SAML login failed, redirecting user to /#/error/signin/16?redirectPath=/wg/saml/logout/index.html

 

Environment

  • Tableau Server
  • SAML

Resolution

Verify and make sure the IdP's entityID value in the metadata file and the value output in the vizportal log matches.
If they don't match, modify and correct the metadata file, reupload the setting file and restart Tableau Server as described in the Online help below.

1. IdP entityID in the IdP’s metadata imported to Tableau Server. See "Return to the TSM web UI. For Step 4 in the GUI, enter the path to the IdP metadata file, and then click Select File" for more information. 
Example of IdP's metadata:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="<IdP's entityID>" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

2. IdP entityID (SAML Issuer) that actually returned SAML response
Note the SAML response only shows in debug level vizportal-<n>.log.
Example of debug level vizportal-<n>.log:
2021-05-17 08:42:52.306 +0900 (-,-,-,YKGt-N5GvHne@nSFd230EwAAABI,e1fc5233-17e3-4c48-bf11-9080c4b15031) catalina-exec-4 auth_saml: DEBUG com.tableausoftware.samlauthentication.filters.SAMLAuthenticationProcessingFilter - Processing the SAML Authentication attempt.
2021-05-17 08:42:52.307 +0900 (-,-,-,YKGt-N5GvHne@nSFd230EwAAABI,e1fc5233-17e3-4c48-bf11-9080c4b15031) catalina-exec-4 auth_saml: DEBUG com.tableausoftware.samlauthentication.services.SAMLMessageLogger - <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s2e7228b43916e3a98d52152d64179587c1cda4dd1" InResponseTo="ARQ53ed66d-b501-4ccb-8dbc-cea3cd99b1c3" Version="2.0" IssueInstant="2021-05-16T23:42:52Z" Destination="<Tableau Server URL>/wg/saml/SSO/index.html"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><IdP's entityID></saml:Issuer><samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
...
2021-05-17 08:42:52.398 +0900 (-,-,-,YKGt-N5GvHne@nSFd230EwAAABI,e1fc5233-17e3-4c48-bf11-9080c4b15031) catalina-exec-4 auth_saml: DEBUG com.tableausoftware.samlauthentication.filters.SAMLIdPMessageProcessor - Calculated relying party as <IdP's entityID>
2021-05-17 08:42:52.399 +0900 (-,-,-,YKGt-N5GvHne@nSFd230EwAAABI,e1fc5233-17e3-4c48-bf11-9080c4b15031) catalina-exec-4 auth_saml: DEBUG com.tableausoftware.samlauthentication.filters.SAMLAuthenticationProcessingFilter - Authentication request failed: Saml2AuthenticationException{error=[relying_party_registration_not_found] Relying Party Registration not found}
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException: Relying Party Registration not found

Cause

  • The IdP entityID (SAML Issuer) in the SAML response does not match the entityID in the IdP's metadata that was imported into Tableau Server.
  • Since Tableau Server receives and verifies if it's a valid SAML response based on settings, this is an IdPs metadata mismatch issue. For more information, see the SAML flow (Step 4 ~ Step 5) in SAML.

Additional Information

  • To log SAML-related details, vizportal.log.level needs to be set to the debug level:
1. tsm configuration set -k vizportal.log.level -v debug
2. tsm pending-changes apply
3. Attempt SAML login
4. Check the vizportal_node1-0.log
  • Windows: %PROGRAMDATA%\Tableau\Tableau Server\data\tabsvc\logs\vizportal\vizportal_node1-0.log
  • Linux: /var/opt/tableau/tableau_server/data/tabsvc/logs/vizportal/vizportal_node1-0.log
 
  • After troubleshooting, run the following command to reset the vizportal.log.level to default:
1. tsm configuration set -k vizportal.log.level -d 
2. tsm pending-changes apply
Did this article resolve the issue?