KNOWLEDGE BASE

SAML Login Fails with a Blank Screen and "Server Down (errorCode=100081)" can be Found In Logs


Published: 06 Apr 2018
Last Modified Date: 31 May 2018

Issue

When accessing Tableau Server with SAML authentication, SAML authentication fails with a blank screen and an error similar to the following can be seen in the Vizportal log:

<date & time> (,,,,) catalina-exec-4 : ERROR com.tableausoftware.domain.user.saml.SAMLExtendedProcessingFilter - SAML Authentication Failed, please contact the administrator.
com.tableausoftware.domain.ldap.LdapConnectException: Server Down (errorCode=100081)


 

Environment

  • Tableau Server
  • Active Directory Authentication
  • LDAP
  • SAML Authentication

Resolution

Work with your Idp (Identity Provider) team to ensure the username attribute is not being passed using the email address for the user.

Cause

Tableau Server does not allow logging in with email as the username for AD/LDAP users. This is not a valid way to sign in using Active Directory on windows or Linux server. 

Additional Information

Enable vizportal debug level logging and review the AuthNResponse from the IdP.

In this example the username attribute is in the incorrect format:
<saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">username@emaildomain.com</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

In this example the username is in the correct format:
<saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">username</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

In this example, the username and domain are passed is in the correct format:
<saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ad-domain/username</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

Or alternately:
<saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">username@ad-domain</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>
Did this article resolve the issue?