Auth0 Home Blog Docs

Tableau: SAML message intended destination endpoint did not match

tableau
saml2

#1

I’m trying to add a SAML integration with tableau but I’m getting an error which I’m confused by:

SAML message intended destination endpoint did not match recipient endpoint

I’m generally following the tableau and auth0 instructions:

https://onlinehelp.tableau.com/current/online/en-us/saml_config_site.htm
https://auth0.com/docs/protocols/saml/saml-apps/tableau-server

Here’s what I did:

I suspect that this configuration is the issue:

{
  "audience": "urn:mysite.auth0.com",
  "recipient": "https://us-east-1.online.tableau.com/wg/saml/SSO/index.html",
  "mappings": {
    "email": "username"
  },
  "createUpnClaim": false,
  "passthroughClaimsWithNoMapping": false,
  "mapUnknownClaimsAsIs": false,
  "mapIdentities": false,
  "signatureAlgorithm": "rsa-sha1",
  "digestAlgorithm": "sha1",
  "destination": "https://us-east-1.online.tableau.com/wg/saml/SSO/index.html",
  "lifetimeInSeconds": 3600,
  "signResponse": false,
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
  "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
  ]
}

When I load the embedded graph and click “Sign in to Tableau Online”, the popup window cycles through several screens, ending in "The sign-in was unsuccessful. Try again. The tableau log tells me this:

2018-05-24T19:18:22.579Z | ERROR | requestId=[WvoulhF9Kv], url=[/public/sp/SSO], status=[401], cause=[Incoming SAML message is invalid; caused by: SAML message intended destination endpoint did not match recipient endpoint], displayableMessage=[null], exceptionClass=[null]

2018-05-24T19:18:19.388Z | INFO | SAML operation: AuthNRequest

I’m not sure what this means—none of the url terminology seems to match up so I’m confused about what URL goes where.

Thanks,

-Mike


#2

@mikebridge, I am also running into a similar issue. Did you find the solution for this?


#3

Yes, the auth0 documentation is either out-of-date or for another use-case. My auth0 configuration for Tableau Online looks like this:

{
    "mappings": {
      "email": "username"
    },
    "createUpnClaim": false,
    "passthroughClaimsWithNoMapping": false,
    "mapUnknownClaimsAsIs": false,
    "mapIdentities": false,
    "signatureAlgorithm": "rsa-sha1",
    "digestAlgorithm": "sha1",
    "lifetimeInSeconds": 43200,
    "signResponse": false,
    "nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
    "nameIdentifierProbes": [
      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
    ]
}

and the “Application Callback URL” looks like this:

https://sso.online.tableau.com/public/sp/SSO?alias=someuuid

Hope that helps,

-Mike


#4

@mikebridge the mappings that worked for me are as follows:

{
“audience”: “https://sso.online.tableau.com/public/sp/metadata?alias=someuuid”,
“recipient”: “https://sso.online.tableau.com/public/sp/SSO?alias=someuuid”,
“mappings”: {
“email”: “Email”
},
“createUpnClaim”: false,
“passthroughClaimsWithNoMapping”: false,
“mapUnknownClaimsAsIs”: false,
“mapIdentities”: false,
“signatureAlgorithm”: “rsa-sha1”,
“digestAlgorithm”: “sha1”,
“destination”: “https://sso.online.tableau.com/public/sp/SSO?alias=someuuid”,
“lifetimeInSeconds”: 3600,
“signResponse”: false,
“nameIdentifierFormat”: “urn:oasis:names:tc:SAML:2.0:attrname-format:basic”,
“nameIdentifierProbes”: [
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
]
}

It did the trick for me.


#5

Thanks, I think the only difference between yours and mine is in the “audience” url—I think the rest are set by default from the callback url.