saml requirements for tableau online

Posted by lipsius at 2020-06-08

SP or IDP initialization: tableau online supports SAML authentication initiated by IDP (ID provider) or SP (service provider).

Cannot use Kerberos: SAML and Kerberos are not supported on tableau online.

Tabcmd and rest API: tabcmd or rest API requires users to log in to tableau online with a tableauid account.

Tableau bridge needs to be refactored: tableau bridge supports SAML authentication, but to change the authentication, the bridge client needs to be reorganized. Please refer to the impact of certification type change on tableau bridge for details.

Using SAML SSO in tableau client applications

Users of tableau online can also log in to tableau desktop or tableau mobile app if they have SAML qualification certificate. For maximum compatibility, you need to be consistent with the tableau client application version, tableau online version.

When tableau desktop or tableau mobile connects to tableau online, the connection initiated by the service provider is used.

Authenticated user tableau client directory again

When a user logs in to tableau online, tableau online sends a SAML request (authnrequest) to IDP, which contains the relaystate value of the tableau application. When users log in to tableau online from tableau clients such as tableau desktop or tableau mobile, the value of relaystate should be returned in the SAML response to the IDP of tableau.

AuthnRequest AuthnRequest

If the relaystate value in the script is not returned in time, it will not be adapted through the application logged in by the user, but will be moved from the web browser to the user's tableau online home page.

Work with ID provider and internal it to confirm whether the SAML response of IDP contains this value.

Influence of certification type change on tableau Bridge

To change the authentication type of the website, the publisher who uses tableau bridge in the pre extraction refresh should disconnect the bridge client and use the new method to authenticate again.

When the bridge client is disconnected, all data sources will be deleted, and the user needs to reset all refresh schedules. The bridge live query or refresh (such as the library or refresh of cloud basic data) directly run by tableau online website will not affect even if the authentication type is changed.

Before changing the authentication type, it is better to inform the bridge users of the change content of the website authentication. Otherwise, the bridge client will display the authentication error or find the authentication type changes when the idle data source is opened.

XML data requirements

SAML is composed of XML metadata files generated in tableau online and IDP. During the authentication process, IDP and tableau online use these XML documents to exchange authentication information. If XML does not meet these requirements, errors can occur when creating SAML or when a user attempts to log in.