IMCAFS

Home

saml requirements for tableau online

Posted by tetley at 2020-07-14
all

Before establishing SAML on tableau online, check the requirements that need to be met.

ID provider (IDP) requirements for tableau configuration

SAML compatibility references and requirements

Using SAML SSO in tableau client applications

Influence of authentication type change on tableau Bridge

XML data requirements

ID provider (IDP) requirements for tableau configuration

In order to use SAML, tableau online needs to be established.

Administrator access to the tableau online site. You can access it as an administrator on the tableau online site that you specify to use SAML.

Use SSO to access the list of users on tableau online. You must collect a user's email address to allow tableau one to be online.

IDP accounts supporting SAML2.0. The account number of the external ID provider is required. Several examples are pingfederation siteminder and open am IDP needs to support SAML2.0, and you must have administrator access.

IDP providers that support importing and exporting XML metadata. Manually generated files can be started, but tableau technical support does not provide support for file generation or related problems.

Administrator access to the tableau online site. You can access it as an administrator on the tableau online site that you specify to use SAML.

Use SSO to access the list of users on tableau online. You must collect a user's email address to allow tableau one to be online.

IDP accounts supporting SAML2.0. The account number of the external ID provider is required. Several examples are pingfederation siteminder and open am IDP needs to support SAML2.0, and you must have administrator access.

IDP providers that support importing and exporting XML metadata. Manually generated files can be started, but tableau technical support does not provide support for file generation or related problems.

Important: along with these requirements, it is better to use a dedicated website manager account that is always composed of tableauid authentication. When SAML or IDP related problems occur, the website can be accessed by using a dedicated tableauid account.

SAML compatibility references and requirements

SP or IDP initialization: tableau online supports SAML authentication initiated by IDP (ID provider) or SP (service provider).

Cannot use Kerberos: tableau online does not support SAML and Kerberos.

Tabcmd and rest API: tabcmd or rest API requires users to log in to tableau online with a tableauid account.

Tableau bridge needs to be refactored: tableau bridge supports SAML authentication, but to change authentication, the bridge client needs to be reorganized. For details, see the impact of authentication type change on tableau bridge.

SP or IDP initialization: tableau online supports SAML authentication initiated by IDP (ID provider) or SP (service provider).

Cannot use Kerberos: tableau online does not support SAML and Kerberos.

Tabcmd and rest API: tabcmd or rest API requires users to log in to tableau online with a tableauid account.

Tableau bridge needs to be refactored: tableau bridge supports SAML authentication, but to change authentication, the bridge client needs to be reorganized. For details, see the impact of authentication type change on tableau bridge.

Using SAML SSO in tableau client applications

Users of tableau online can also log in on the tableau desktop or tableau mobile app if they have SAML certification. In order to be compatible with the maximum version of autable, the application needs to be consistent with the version of autable.

When tableau desktop or tableau mobile connects to tableau online, the connection initiated by the service provider is used.

Authenticated user again tableau client directory

When a user logs in to tableau online, tableau online sends an SAML request (authnrequest) to IDP, which contains the relaystate value of the tableau application. When a user logs in to tableau online on a tableau client such as tableau desktopp or tableau mobile, the relaystate value should be returned in the SAML response to the IDP of tableau.

AuthnRequest AuthnRequest

If the relaystate value in the script is not returned in time, it is not adapted through the application that the user logs in, but is moved from the web browser to the user's tableau online home page.

Work with the ID provider and internal it to verify that the SAML response of the IDP contains this value.

Influence of authentication type change on tableau Bridge

To change the authentication type of the website, the publisher who uses tableau bridge in the pre extraction refresh should disconnect the bridge client and use the new method to authenticate again.

When the bridge client is disconnected, all data sources will be deleted and the user needs to reset all refresh schedules. The bridge live query or refresh (e.g. the database or refresh of cloud basic data) directly run by tableau online website will not affect even if the authentication type is changed.

Before changing the authentication type, it is better to inform the bridge users of the changes of website authentication. Otherwise, the bridge client will display authentication errors or the authentication type will change when the idle data source is opened.

XML data requirements

The XML metadata files generated in tableau online and IDP are used to construct SAML. IDP and tableau online use these XML documents to exchange authentication information during the authentication process. If XML does not meet these requirements, errors can occur when SAML is created or when the user attempts to log in.