Troubleshooting Tanium Cloud
Tanium Cloud is a self-monitored service, designed to detect failures before the failures surface to users.
Troubleshoot issues authenticating to the Tanium Console
If you encounter issues connecting and authenticating to the Tanium Console, verify that the identity provider is configured correctly.
- Sign in to the CMP.
- Review the Identity Provider Settings section of the Administration page.
- Verify that there are no warnings or errors in the Status column of the identity provider.
- Click Edit
to view and edit the settings.
- (Optional) If you want to automatically provision users from a domain, verify that the domain is listed and the Auto-Provision Users selection is set to Yes.
- Click Test Login to verify that the connection to the identity provider is successful.
For more troubleshooting information, see Tanium Console User Guide: Troubleshooting.
Error: 401 authorization required
A 401 authorization required error displays when authenticating to Tanium Console or the CMP, because Tanium Cloud cannot process the SAML response. The following sections outline messages that can appear in the URL when a 401 authorization required error displays in the browser.
Copy the message from the browser to a text editor to see the full error message.
Issue: Email was changed in the IDP
Cause
Users cannot sign in to Tanium after their email addresses are changed in the integrated IDP environment. When attempting to sign in to the Tanium Console, users encounter a 401 error with the following text in the URL:
PreAuthentication+failed+with+error+User+email+domain+was+not+registered+with+this+identity+provider
If the domains listed in CMP do not match the previous email domain, users continue to see a 401 error.
Solution
Choose an option:
- Delete the IDP configuration in the CMP and create a new one with the same configuration.
- Add both the old and new domains in the CMP for that IDP. Then have the affected users sign in at least once to allow their email attributes to be updated. After you confirm that users can sign in successfully, remove the old domain from the CMP.
Issue: Error in SAML response processing because Name ID value was not found in SAML Assertion
Cause
The NameID
value is not being sent in the SAML response. While Tanium Cloud does not use this value, the SAML response fails to validate if the value is not present.
Solution
In the IDP environment, add the NameID
and the E-mail Address
to the response.
Issue: Error in SAML response processing: Invalid user attributes: email: The attribute is required
Cause
The IDP is not sending the email address or the email address is being sent under the wrong attribute name.
Solution
In the IDP environment, send the email address value under the attribute name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. The attribute statement should look similar to the following example:
<saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"> [email protected]</saml2:AttributeValue> </saml2:Attribute>
Error in SAML response processing: No SAML Assertion found in the SAML response
Cause
There is an unspecified issue with the IDP configuration. The SAML response likely includes an AuthnFailed status:
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed">
</samlp:Status>
The most common cause is in SFDC IDP environments when the user is not assigned to the role
which grants permission on the Connected Application.
Solution
For the user account, assign the role
which grants permission on the Connected Application. If that step does not resolve the issue, investigate the logs in the IDP environment.
Error: Required String parameter RelayState
is not present
Cause
This error occurs when a user signs in to a Tanium Cloud instance through IDP-initiated single sign-on (SSO). IDP-initiated SSO is not supported.
Solution
Use Service Provider-initiated (SP-initiated) SSO by signing in from the Tanium Cloud console URL (for example, https://examplecustomer.cloud.tanium.com). As a workaround, you can also configure the sign in URL with the Tanium Console URL. In Okta, for example, this means configuring a Bookmark app.
Error: The Tanium sign-in screen shows /unauthorized in the URL bar
If you see /unauthorized in the URL bar, the SAML integration is configured correctly, but the sign in user account does not exist in Tanium Cloud.
Issue: Incorrect attribute
Cause
The IDP might be sending the wrong attribute: UUID, sAMAccountName, and userPrincipalName.
Solution
Make sure the IDP is sending email address for the applicable attribute.
Issue: Incorrect user account
Cause
A user account might be incorrect for one of the following reasons:
- Using the IDP account admin instead of the user account with Tanium administrative rights
- Using an elevated account instead of a standard account
- Creating an initial Tanium Cloud user account with a typo
Solution
Sign in with the exact email address specified in the welcome email.
Issue: Extra space in user name
Cause
The user name looks correct but contains extra spacing on the end, so the name cannot match the SAML claim. This usually happens when the user was created by a cut and paste action.
Solution
Carefully recreate the user name. The preferred option is to enter the user name manually to avoid extra spacing from a cut and paste error.
Troubleshoot Tanium solutions
If you notice issues with specific Tanium solutions, review the following links.
- Tanium API Gateway User Guide: Troubleshooting API Gateway
- Tanium Asset User Guide: Troubleshooting Asset
- Tanium Benchmark User Guide: Troubleshooting Benchmark
- Tanium Certificate Manager User Guide: Troubleshooting
- Tanium Client Management User Guide: Troubleshooting
- Tanium Comply User Guide: Troubleshooting Comply
- Tanium Connect User Guide: Troubleshooting Connect
- Tanium Console User Guide: Troubleshooting
- Tanium Deploy User Guide: Troubleshooting Deploy
- Tanium Direct Connect User Guide: Troubleshooting Direct Connect
- Tanium Directory Query User Guide: Troubleshooting Directory Query
- Tanium Discover User Guide: Troubleshooting Discover
- Tanium Endpoint Configuration User Guide: Troubleshooting Endpoint Configuration
- Tanium End-User Notifications User Guide: Troubleshooting End-User Notifications
- Tanium Enforce User Guide: Troubleshooting Enforce
- Tanium Feed User Guide: Troubleshooting Feed
- Tanium Impact User Guide: Troubleshooting Impact
- Tanium Integrity Monitor User Guide: Troubleshooting Integrity Monitor
- Tanium Interact User Guide: Troubleshooting Interact
- Tanium Map User Guide: Troubleshooting Map
- Tanium Patch User Guide: Troubleshooting Patch
- Tanium Performance User Guide: Troubleshooting Performance
- Tanium Provision User Guide: Troubleshoot Provision
- Tanium Reporting User Guide: Troubleshoot Reporting
- Tanium Reputation User Guide: Troubleshooting Reputation
- Tanium Reveal User Guide: Troubleshooting Reveal
- Tanium Threat Response User Guide: Troubleshooting Threat Response
- Tanium Trends User Guide: Troubleshooting Trends
Contact Tanium Support
To contact Tanium Support for help, sign in to https://support.tanium.com.
Last updated: 3/28/2023 8:22 AM | Feedback