IMCAFS

Home

saml requirements for tableau online

Posted by tetley at 2020-06-23
all

Before setting up SAML on tableau online, please check the requirements to be met.

Requirements for ID provider (IDP) of tableau configuration

SAML compatibility references and requirements

Using SAML SSO in tableau client applications

Influence of certification type change on tableau Bridge

XML data requirements

Requirements for ID provider (IDP) of tableau configuration

In order to use SAML, tableau online needs to be established.

Administrator access to the tableau online website. You can access as an administrator on the tableau online website that you specify to use SAML.

List of users who use SSO to access tableau online. You must collect a user's email address to allow tableau one to be online.

IDP account supporting SAML2.0. The account of the external ID provider is required. There are several examples of pingfedeate siteminder and open am IDP needs to support SAML2.0, and you must have administrator access.

IDP providers that support the import and export of XML metadata. Manually generated files can be started, but tableau technical support does not provide support for file generation or problem solving.

Administrator access to the tableau online website. You can access as an administrator on the tableau online website that you specify to use SAML.

List of users who use SSO to access tableau online. You must collect a user's email address to allow tableau one to be online.

IDP account supporting SAML2.0. The account of the external ID provider is required. There are several examples of pingfedeate siteminder and open am IDP needs to support SAML2.0, and you must have administrator access.

IDP providers that support the import and export of XML metadata. Manually generated files can be started, but tableau technical support does not provide support for file generation or problem solving.

Important: along with these requirements, it is better to use a dedicated website administrator account that is always composed of tableauid authentication. When SAML or IDP related problems occur, use a dedicated tableauid account to access the website.

SAML compatibility references and requirements

SP or IDP initialization: tableau online supports SAML authentication initiated by IDP (ID provider) or SP (service provider).

Cannot use Kerberos: SAML and Kerberos are not supported on tableau online.

Tabcmd and rest API: tabcmd or rest API requires users to log in to tableau online with a tableauid account.

Tableau bridge needs to be refactored: tableau bridge supports SAML authentication, but to change the authentication, the bridge client needs to be reorganized. Please refer to the impact of certification type change on tableau bridge for details.

SP or IDP initialization: tableau online supports SAML authentication initiated by IDP (ID provider) or SP (service provider).

Cannot use Kerberos: SAML and Kerberos are not supported on tableau online.

Tabcmd and rest API: tabcmd or rest API requires users to log in to tableau online with a tableauid account.

Tableau bridge needs to be refactored: tableau bridge supports SAML authentication, but to change the authentication, the bridge client needs to be reorganized. Please refer to the impact of certification type change on tableau bridge for details.

Using SAML SSO in tableau client applications

Users of tableau online can also log in to tableau desktop or tableau mobile app if they have SAML qualification certificate. For maximum compatibility, you need to be consistent with the tableau client application version, tableau online version.

When tableau desktop or tableau mobile connects to tableau online, the connection initiated by the service provider is used.

Authenticated user tableau client directory again

When a user logs in to tableau online, tableau online sends a SAML request (authnrequest) to IDP, which contains the relaystate value of the tableau application. When users log in to tableau online from tableau clients such as tableau desktop or tableau mobile, the value of relaystate should be returned in the SAML response to the IDP of tableau.

AuthnRequest AuthnRequest

If the relaystate value in the script is not returned in time, it will not be adapted through the application logged in by the user, but will be moved from the web browser to the user's tableau online home page.

Work with ID provider and internal it to confirm whether the SAML response of IDP contains this value.

Influence of certification type change on tableau Bridge

To change the authentication type of the website, the publisher who uses tableau bridge in the pre extraction refresh should disconnect the bridge client and use the new method to authenticate again.

When the bridge client is disconnected, all data sources will be deleted, and the user needs to reset all refresh schedules. The bridge live query or refresh (such as the library or refresh of cloud basic data) directly run by tableau online website will not affect even if the authentication type is changed.

Before changing the authentication type, it is better to inform the bridge users of the change content of the website authentication. Otherwise, the bridge client will display the authentication error or find the authentication type changes when the idle data source is opened.

XML data requirements

SAML is composed of XML metadata files generated in tableau online and IDP. During the authentication process, IDP and tableau online use these XML documents to exchange authentication information. If XML does not meet these requirements, errors can occur when creating SAML or when a user attempts to log in.