Tableau Server Using SAML Authentication Fails to Start or Rejects Login After Upgrade to Tableau Server 2021.2

Published: 15 Jun 2020
Last Modified Date: 30 Sep 2021


After upgrading to a version of Tableau Server 2021.2 or later that uses SAML for user authentication, Tableau Server fails to start because certificates do not meet security settings and one of the following errors will be visible in the VizPortal logs, depending on the key type used. 

Digest Algorithm: 
SAML certificate validation failed


The digest algorithm used by the current certificate is not allowed.

Certificate Key/Elliptic Curve Size: 
Key size is smaller than the min allowed key size


Elliptic Curve size does not meet the required min allowed curve size


Tableau Server 2021.2 and newer versions


Before you begin, identify whether or not your Tableau Server installation is affected

Check the certificates uploaded in order to configure SAML authentication. From the computer running Tableau Server, run the following commands:

tsm configuration get -k wgserver.saml.key.file 
tsm configuration get -k wgserver.saml.cert.file

to verify both the private and public key in the filesystem meet the minimum key/curve size, and that the Digest Algorithm is not SHA1. 

Alternatively you can download the service provider (SP) metadata file through the TSM GUI and the Tableau SP certificate content is pasted there. For instructions, see step 6a of Configure Server-Wide SAML.

You can check on the certificates provided by your identity provider (IdP) by downloading the IdP metadata xml file from TSM or by downloading them again directly from your IdP. 

Ideally, use Option 1 to upgrade all signing algorithms to SHA-256, including those for your IdP. See "Additional Information" for all potential areas where SHA-1 may be used as a part of SAML authentication. 
If your IdP only supports SHA-1, use option 2. 
Option 1: Upgrade SAML certificates and IdP certificates to use Strong Digest Algorithms and Key Attributes
Update the Tableau Server Certificate and Key Files
  1. Stop Tableau Server
  2. Update the certificate and key, ensuring they use SHA-256 and RSA 2048 or ECDSA 256 in all affected areas.
  3. Save the new certificate and key file, then change certificate and key file in the SAML tab of Configure Tableau Server.
  4. For more information on configuring SAML certificates and key files, see Configure Server-Wide SAML.
  5. Export the XML of Tableau metadata to exchange with your IdP.

Update your IdP Metadata
  1.  go to your IdP Account and update the certificate and/or signing algorithms as appropriate. This is an IdP specific operation, so refer to their documentation for steps on how to do this. Upload the Tableau metadata XML file if appropriate.
  2. Follow the instructions in the IdP’s website or documentation to download the IdP’s metadata. Save the .xml file to the same location that holds your SAML certificate and key files.
  3. Within TSM, upload the IdP metadata XML file.
  4. Input the TSM Password then click OK.
  5. Start Tableau Server.
  6. For site-specific SAML, update the IdP’s metadata xml file within the site.
NOTE: Starting on 2021.2, there is a tabcmd utility available to help inspect your IdP metadata if you have site saml set up for many sites. This can ease the burden of identifying which of your sites may have insecure IdP metadata. See tabcmd validateidpmetadata.
Option 2 (Workaround): If you have already upgraded and are unable to start Tableau Server
  1. Disable the new default Digest Algorithm blocklist by using the following command:
    tsm configuration set -k "wgserver.saml.blocklisted_digest_algorithms" -v ""
    tsm pending-changes apply
  2. Disable the new key validation settings by using the following command(s):
    tsm configuration set -k "wgserver.saml.min_allowed.rsa_key_size" -v "0"


    tsm configuration set -k "wgserver.saml.min_allowed.elliptic_curve_size" -v "0"

    depending on the key type you use, and then run
    tsm pending-changes apply
  3. Start Tableau Server.

Note: You can run Tableau Server as normal for as long as necessary in this format with these security settings disabled.

As soon as possible
  1. Upgrade SAML certificates and IdP certificates to use SHA-256 or stronger as outlined in Option 1 above.
  2. Restart Tableau Server.
  3. Re-enable the security settings with the following command:
tsm configuration set -k “wgserver.saml.blocklisted_digest_algorithms” -v “sha1”

tsm configuration set -k “wgserver.saml.min_allowed.rsa_key_size” -v “2048”


tsm configuration set -k “wgserver.saml.min.elliptic_curve_size” -v “256”

and then run tsm pending-changes apply


Tableau Server 2021.2 automatically blocks sha1 certs by default.
To verify whether or not your instance is blocking sha-1, you can run the following command
tsm configuration get -k "wgserver.saml.blocklisted_digest_algorithms"

If Tableau Server returns "sha1", Tableau Server is blocking SHA1 certs

Additional Information

By default, Tableau Server 2021.2 and newer will reject certificate upload with the SHA-1 signature hash when configuring Tableau Server for SAML authentication, and Tableau Server will by default reject SAML assertions signed with the SHA-1 algorithm. It is important to note that there are multiple places where SHA-1 could be used on both the Tableau and idP side, so there are multiple places and points in time where validation is required. For example:
  • Certs signed with SHA-1 uploaded via TSM (CLI and GUI) that are used by Tableau Server to sign the request that is sent to IdP
  • Certs in the IdP metadata used to verify the AuthnResponse (signature) received from the IdP using the public key in the cert.
  • Incoming assertions signed and hashed with SHA-1 (DigestMethod set to SHA-1 and SignatureMethod set to SHA-1)
  • Incoming assertions with certs signed with SHA-1
  • Outgoing assertions hashed and signed with SHA-1 (DigestMethod set to SHA-1, SignatureMethod set to SHA-1)
  • Outgoing assertions signed certs signed with SHA-1

Note: The tsm SAML configuration entity wgserver.saml.sha256 is still a valid configuration key to ensure all outgoing assertions sent by Tableau Server are signed using SHA-256. This can be used alongside these blocklist keys in order to support a configuration where your idP may have required SHA-256 signed assertions, but your incoming assertions or uploaded certificates were signed with SHA-1. The default value of this key will now be true, so that all outgoing SAML assertions will be signed with SHA-256 by default.

Note: These settings to restrict certificate properties are available in Tableau Server 2021.1 but are not on by default, however you may encounter these issues in 2021.1 if you change settings for wgserver.saml.blocklisted_digest_algorithms
wgserver.saml.min_allowed.rsa_key_size or wg.server.saml.min.elliptic_curve_size.
Did this article resolve the issue?