SAML SSO for Tableau Server Fails when Server and Client Times are Off by More Than 5 Minutes

Published: 20 Jan 2016
Last Modified Date: 04 Nov 2019


After configuring SAML authentication for Tableau Server or Tableau Online, a login information window is repeatedly prompted for login information. Additionally, the following error might occur:  
Unable to Sign In; Invalid username or password.
Additionally, the Site SAML troubleshooting log file SAML logs contains the following error:
ERROR | correlationId=[ID], url=[/public/sp/SSO], status=[401], cause=[Error validating SAML message; caused by: Response issue time is either too old or with date in the future, skew 60


  • Tableau Online
  • Tableau Server 10 
  • Site SAML


Option 1

Verify that the time between the server(s) and client(s) are within 5 minutes, and that the default maxAuthenticationAge time is set correctly.

Option 2

If the times are in synchronization, add a time skew of 60 seconds on the IdP's relying party configuration.


By default, SAML authentication is set to reject any assertion older than 5 minutes. The default setting can be changed, however it is best to make sure that the client and server times synchronize properly. Most organizations employ an automatic time service or Network Time Protocol to synchronize all the computers in their domain but sometimes those services fail or are simply not in use.

Additional Information

To gather the site SAML log:
  1. Sign in to Tableau Server or Tableau Online as an administrator or site administrator.
  2. Select Settings.
  3. Select Authentication.
  4. Scroll to the bottom, under section 7) "Troubleshooting single sign-on (SS)" select Download log file.

Discuss this article... Feedback Forum
Did this article resolve the issue?