Troubleshooting Tanium Cloud

Tanium Cloud is a self-monitored service, designed to detect failures before the failures surface to users.

Troubleshoot issues authenticating to the Tanium Console

If you encounter issues connecting and authenticating to the Tanium Console, verify that the identity provider is configured correctly.

Sign in to the CMP.
Review the Identity Provider Settings section of the Administration page.
1. Verify that there are no warnings or errors in the Status column of the identity provider.
2. Click Edit to view and edit the settings.
3. (Optional) If you want to automatically provision users from a domain, verify that the domain is listed and the Auto-Provision Users selection is set to Yes.
4. Click Test Login to verify that the connection to the identity provider is successful.

For more troubleshooting information, see Tanium Console User Guide: Troubleshooting.

Error: 401 authorization required

A 401 authorization required error displays when authenticating to Tanium Console or the CMP, because Tanium Cloud cannot process the SAML response. The following sections outline messages that can appear in the URL when a 401 authorization required error displays in the browser.

Copy the message from the browser to a text editor to see the full error message.

Issue: Email was changed in the IDP

Cause

Users cannot sign in to Tanium after their email addresses are changed in the integrated IDP environment. When attempting to sign in to the Tanium Console, users encounter a 401 error with the following text in the URL:

PreAuthentication+failed+with+error+User+email+domain+was+not+registered+with+this+identity+provider

If the domains listed in CMP do not match the previous email domain, users continue to see a 401 error.

Solution

Choose an option:

Delete the IDP configuration in the CMP and create a new one with the same configuration.
Add both the old and new domains in the CMP for that IDP. Then have the affected users sign in at least once to allow their email attributes to be updated. After you confirm that users can sign in successfully, remove the old domain from the CMP.

Issue: Error in SAML response processing because Name ID value was not found in SAML Assertion

Cause

The NameID value is not being sent in the SAML response. While Tanium Cloud does not use this value, the SAML response fails to validate if the value is not present.

Solution

In the IDP environment, add the NameID and the E-mail Address to the response.

Issue: Error in SAML response processing: Invalid user attributes: email: The attribute is required

Cause

The IDP is not sending the email address or the email address is being sent under the wrong attribute name.

Solution

In the IDP environment, send the email address value under the attribute name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. The attribute statement should look similar to the following example:

<saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"> [email protected]</saml2:AttributeValue> </saml2:Attribute>

Error in SAML response processing: No SAML Assertion found in the SAML response

Cause

There is an unspecified issue with the IDP configuration. The SAML response likely includes an AuthnFailed status:

<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed">
</samlp:Status>

The most common cause is in SFDC IDP environments when the user is not assigned to the role which grants permission on the Connected Application.

Solution

For the user account, assign the role which grants permission on the Connected Application. If that step does not resolve the issue, investigate the logs in the IDP environment.

Error: Required String parameter RelayState is not present

Cause

This error occurs when a user signs in to a Tanium Cloud instance through IDP-initiated single sign-on (SSO). IDP-initiated SSO is not supported.

Solution

Use Service Provider-initiated (SP-initiated) SSO by signing in from the Tanium Cloud console URL (for example, https://examplecustomer.cloud.tanium.com). As a workaround, you can also configure the sign in URL with the Tanium Console URL. In Okta, for example, this means configuring a Bookmark app.

Error: The Tanium sign-in screen shows /unauthorized in the URL bar

If you see /unauthorized in the URL bar, the SAML integration is configured correctly, but the sign in user account does not exist in Tanium Cloud.

Issue: Incorrect attribute

Cause

The IDP might be sending the wrong attribute: UUID, sAMAccountName, and userPrincipalName.

Solution

Make sure the IDP is sending email address for the applicable attribute.

Issue: Incorrect user account

Cause

A user account might be incorrect for one of the following reasons:

Using the IDP account admin instead of the user account with Tanium administrative rights
Using an elevated account instead of a standard account
Creating an initial Tanium Cloud user account with a typo

Solution

Issue: Extra space in user name

Cause

The user name looks correct but contains extra spacing on the end, so the name cannot match the SAML claim. This usually happens when the user was created by a cut and paste action.

Solution

Carefully recreate the user name. The preferred option is to enter the user name manually to avoid extra spacing from a cut and paste error.

Troubleshoot Tanium solutions

If you notice issues with specific Tanium solutions, review the following links.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.