KNOWLEDGE BASE

Users with Server-Wide SAML Authentication Unable to Login after Enabling Site-Specifc SAML


Published: 22 Feb 2019
Last Modified Date: 30 Nov 2019

Issue

Users are able to login when only Server-wide authentication is enabled. 
After also enabling site-specific SAML with tsm authentication sitesaml enable
users with a default Server-Wide SAML authentication experience an error similar to the following when attempting to log in: 

  • Page could not be accessed 
  • User account not found

Users with Site-Specific SAML authentication are able to login successfully.

Environment

  • Tableau Server 2018.3, 2019.1, 2019.2
  • Windows Server 2012

Resolution

Option 1

Upgrade to Tableau Server 2019.3 or a newer version. See Tableau Server Downloads and Release Notes for downloads of current and previous versions of Tableau Server.  

For more information on current releases, see Upgrade Tableau Server and Server Upgrade.

Option 2

  1. Identify the Entity ID of your SAML IdP used for the Server-Wide SAML setting from the metadata for that IdP. This is not the Entity ID that is used when configuring the Entity ID in the Tableau Server TSM UI or TSM command line. If the Entity ID value contains the Tableau Server URL, it is very likely not the correct Entity ID for this purpose.For example, the Entity ID value is bolded for reference in this IdP metadata sample:

    <?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/exkjei46ugXVn5QoH0h7"
  2. Run the following tsm commands. Note that this will restart Tableau Server:
     
    tsm configuration set -k wgserver.saml.default_idp -v value --force-keys
    tsm pending-changes list (verify no typos - if anything is incorrect, run tsm pending-changes discard and repeat) 
    tsm pending-changes apply
Using the Entity ID value from the example in step 1, the commands would be:
 
tsm configuration set -k wgserver.saml.default_idp -v http://www.okta.com/exkjei46ugXVn5QoH0h7 --force-keys
tsm pending-changes list
tsm pending-changes apply

Cause

The configuration parameter wgserver.saml.default_idp is not being set as expected when site saml is enabled. This issue is resolved in Tableau Server 2019.3.0 (under ID 878532).

Additional Information

To verify whether you are experiencing the specific issue described here, run the following commands:
 
tsm configuration get -k wgserver.saml.enabled
tsm configuration get -k wgserver.site_saml.enabled

If both of these return "true", then run:
 
tsm configuration get -k wgserver.saml.default_idp

If this command does not return a value, you are likely experiencing the issue described in this article.



Discuss this article... Feedback Forum
Did this article resolve the issue?