locked
relying party trust errors RRS feed

  • Question

  • Guys I am having problems configuring a relying party trust that connects back to Tableau online. I am using Windows Server 2012 R2 ADFS 3.0. I also have a web application proxy box that exposes adfs to the public web. The problem I'm having is if I go to  https://sso.online.tableau.com/public/login enter my email address. I get forwarded over to my ADFS page I enter my credentials and immediately get an error from Tableau. I configured the relaying party trust using saml_sp_metadata.xml. I've also verified that the entityID is correct. Also the certificate is in the correct store. So my question is what am I missing? I have also verified that I can sign in and out of adfs.  I'm not sure if this is a cert problem or the claims are not being passed on to Tableau.

    Error that I recieve

    "We are unable to log you in. Please double check your email address and password, then try again.

    If you continue to have trouble, please contact our Customer Support team for help."

    If I check the adfs server I have 3 errors that keep showing up error 364,184 and 1000.  



    Error from the ADFS log

    Log Name:      AD FS/Admin
    Source:        AD FS
    Date:          7/20/2016 12:46:35 PM
    Event ID:      364

    Additional Data

    Protocol Name:
    Saml

    Relying Party:
    https://sso.online.tableau.com/public/sp/metadata?alias=b8667519-bb7a-4abf-b1eb-bcf4620e51f7

    Exception details:
    Microsoft.IdentityModel.SecurityTokenService.InvalidScopeException: MSIS3055: The requested relying party trust 'https://sso.online.tableau.com/public/sp/metadata' is unspecified or unsupported. If a relying party trust was specified, it is possible the user does not have permission to access the relying party trust. ---> Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException: MSIS3020: The relying party trust with identifier 'https://sso.online.tableau.com/public/sp/metadata' could not be located.
       --- End of inner exception stack trace ---
       at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
       at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException: MSIS3020: The relying party trust with identifier 'https://sso.online.tableau.com/public/sp/metadata' could not be located.


    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="AD FS" Guid="{2FFB687A-1571-4ACE-8550-47AB5CCAE2BC}" />
        <EventID>364</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000001</Keywords>
        <TimeCreated SystemTime="2016-07-20T17:46:35.134550000Z" />
        <EventRecordID>595</EventRecordID>
        <Correlation ActivityID="{00000000-0000-0000-3200-0080000000D0}" />
        <Execution ProcessID="2720" ThreadID="1440" />
        <Channel>AD FS/Admin</Channel>
        <Computer>adfsa.test.com</Computer>
        <Security UserID="S-1-5-21-1063662291-1518012612-666385194-63211" />
      </System>
      <UserData>
        <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
          <EventData>
            <Data>Saml</Data>
            <Data>https://sso.online.tableau.com/public/sp/metadata?alias=b8667519-bb7a-4abf-b1eb-bcf4620e51f7</Data>
            <Data>Microsoft.IdentityModel.SecurityTokenService.InvalidScopeException: MSIS3055: The requested relying party trust 'https://sso.online.tableau.com/public/sp/metadata' is unspecified or unsupported. If a relying party trust was specified, it is possible the user does not have permission to access the relying party trust. ---&gt; Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException: MSIS3020: The relying party trust with identifier 'https://sso.online.tableau.com/public/sp/metadata' could not be located.
       --- End of inner exception stack trace ---
       at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
       at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1&amp; identityClaimSet)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String&amp; newSamlSession, String&amp; samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String&amp; samlpSessionState, String&amp; samlpAuthenticationProvider)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException: MSIS3020: The relying party trust with identifier 'https://sso.online.tableau.com/public/sp/metadata' could not be located.

    </Data>
          </EventData>
        </Event>
      </UserData>
    </Event>


    ///////////////////////////////////////////////////////////////////////////////////////////////



    Log Name:      AD FS/Admin
    Source:        AD FS
    Date:          7/20/2016 12:46:35 PM
    Event ID:      184

    Description:
    A token request was received for a relying party identified by the key 'https://sso.online.tableau.com/public/sp/metadata', but the request could not be fulfilled because the key does not identify any known relying party trust.
    Key: https://sso.online.tableau.com/public/sp/metadata

    This request failed.

    User Action
    If this key represents a URI for which a token should be issued, verify that its prefix matches the relying party trust that is configured in the AD FS configuration database.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="AD FS" Guid="{2FFB687A-1571-4ACE-8550-47AB5CCAE2BC}" />
        <EventID>184</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000001</Keywords>
        <TimeCreated SystemTime="2016-07-20T17:46:35.134550000Z" />
        <EventRecordID>594</EventRecordID>
        <Correlation ActivityID="{00000000-0000-0000-3200-0080000000D0}" />
        <Execution ProcessID="2720" ThreadID="1440" />
        <Channel>AD FS/Admin</Channel>
        <Computer>adfsa.testdomain.com</Computer>
        <Security UserID="S-1-5-21-1063662291-1518012612-666385194-63211" />
      </System>
      <UserData>
        <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
          <EventData>
            <Data>https://sso.online.tableau.com/public/sp/metadata</Data>
          </EventData>
        </Event>
      </UserData>
    </Event>


    //////////////////////////////////////////////////////////////////////////////////////////////

    Log Name:      AD FS/Admin
    Source:        AD FS
    Date:          7/20/2016 12:46:35 PM
    Event ID:      1000

    Description:
    An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error.  



    Caller:
     test\test


    OnBehalfOf user:


    ActAs user:


    Target Relying Party:
     https://sso.online.tableau.com/public/sp/metadata

    Device identity:


    User action:
    Use the Activity ID data in this message to search and correlate the data to events in the Event log using Event Viewer. This Activity ID will also be shown as additional information in the error page when an error occurs in the federation passive Web application.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="AD FS" Guid="{2FFB687A-1571-4ACE-8550-47AB5CCAE2BC}" />
        <EventID>1000</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000001</Keywords>
        <TimeCreated SystemTime="2016-07-20T17:46:35.134550000Z" />
        <EventRecordID>593</EventRecordID>
        <Correlation ActivityID="{00000000-0000-0000-3200-0080000000D0}" />
        <Execution ProcessID="2720" ThreadID="1440" />
        <Channel>AD FS/Admin</Channel>
          <Security UserID="S-1-5-21-1063662291-1518012612-666385194-63211" />
      </System>
      <UserData>
        <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
          <EventData>
            <Data>test\test
    </Data>
            <Data>
            </Data>
            <Data>
            </Data>
            <Data>https://sso.online.tableau.com/public/sp/metadata</Data>
            <Data>
            </Data>
          </EventData>
        </Event>
      </UserData>
    </Event>

          
    Wednesday, July 20, 2016 7:42 PM

All replies

  • Hiya,

    It sounds more like a tableau problem than ADFS. Which guide did you follow in order to implement your relying party trust for tableau?

    I found the following tableau KB article which might assist somewhat.

    http://kb.tableau.com/articles/issue/error-authentication-failed-after-configuring-adfs-for-saml

    Thursday, July 21, 2016 8:04 AM
  • I think the one you referenced is talking about tableau on prem. If I log into our account there is a little section on configuring ADFS and sso with Tableau. Check out the screen shot links below. I tried passing through email address along with first name and last name still nothing. I know that adfs works because I can access it via internal or external login than back out. I've also verified that wap can publish applications I actually published a test site using pass through than the same site requiring authentication I was able to log in and out  adfs for my test site that I published. This may sound stupid but how can I verify if there is a cert problem. Because I dropped the cert they sent into our trusted trusted root cert container. Also is there a way to see that I'm actually obtaining a claim from ADFS that will be sent over to the relaying party? BTW my adfs store is on SQL server.  Also something I find strange I'm contacting this link   
    https://sso.online.tableau.com/public/sp/metadata?alias=b8667519-bb7a-4abf-b1eb-bcf4620e51f7  as the relying party. However the log keeps talking about this link https://sso.online.tableau.com/public/sp/metadata

    https://test.company.com/adfs/ls/IdpInitiatedSignon.aspx   link I used to verify adfs

    https://s25.postimg.org/sp8atjhzj/image.png


    https://s25.postimg.org/3xda01q6n/image.png




    • Edited by OSU75 Thursday, July 21, 2016 9:28 AM
    Thursday, July 21, 2016 9:23 AM
  • Hi,

    Dont worry about your ADFS :)

    It is strictly a relying party problem. Which can be fixed :)

    Did you see these guides here:

    http://onlinehelp.tableau.com/current/online/en-us/help.htm#saml_config_site.htm?Highlight=saml

    http://onlinehelp.tableau.com/current/online/en-us/saml_site_troubleshoot.htm

    I know that I am link feeding you, however as you say, its not an ADFS issues. It's an issues with the relying party, which depends on Tableau configuration.

    Monday, July 25, 2016 6:43 AM