Configure SAML for Tableau Viz Lightning Web Component
Tableau provides a Lightning Web Component (LWC) for embedding a Tableau visualisation within a Salesforce Lightning page.
This topic describes how to enable a SSO experience for embedded Tableau visualisations in a Salesforce Lightning page. SSO for the Tableau Viz LWC scenario requires SAML configuration. The SAML IdP used for Tableau authentication must be either the Salesforce IdP or same IdP that is used for your Salesforce instance.
In this scenario, Salesforce administrators can drag-and-drop Tableau Viz LWC into the Lightning page to embed a visualisation. Any view that is available to them on
When single sign-on (SSO) is configured for Tableau Viz LWC on
When SSO is not configured, users will need to re-authenticate with
Note: Users configured with Salesforce Authentication will need to reauthenticate with Tableau Cloud to view embedded visualisations in Tableau Cloud.
Requirements
- The SAML IdP used for Tableau authentication must be either the Salesforce IdP or same IdP that is used for your Salesforce instance.
- SAML must be configured on Tableau Cloud. See Enable SAML Authentication on a Site.
- SAML must be configured for Salesforce.
- Install the Tableau Viz Lightning Web Component. See Embed Tableau Views into Salesforce(Link opens in a new window).
Configuring the authentication workflow
You may need to make additional configurations to optimise the sign-in experience for users who access Lightning with embedded Tableau views.
If a seamless authentication user experience is important, then you will need to make some additional configurations. In this context, “seamless” means that users who access the Salesforce Lightning page where Tableau Viz LWC SSO has been enabled, will not be required to perform any action to view the embedded Tableau view. In the seamless scenario, if the user is logged into Salesforce, then embedded Tableau views will be displayed with no additional user action. This scenario is enabled by in-frame authentication.
For a seamless user experience, you will need to enable in-frame authentication on
On the other hand, there are scenarios where users are interacting with the Lightning page that will require them to click a “Sign in” button to view the embedded Tableau view. This scenario, where a user must take another action to view the embedded Tableau view, is called pop-up authentication.
Pop-up authentication is the default user experience if you do not enable in-frame authentication.
Enable in-frame authentication on Tableau Cloud
Before you enable in-frame authentication on Tableau Cloud, you must have already configured and enabled SAML.
Sign in to your Tableau Cloud site as a site administrator, and select Settings > Authentication.
On the Authentication tab, select the Enable an additional authentication method tick box, select SAML and then click the Configuration (required)drop-down arrow.
Navigate down to Embedding options and select the Authenticate using an in-line frame radio button.
Caution: Inline frames can be vulnerable to a clickjack attack. Clickjacking is a type of attack against web pages in which the attacker tries to lure users into clicking or entering content by displaying the page to attack in a transparent layer over an unrelated page. In the context of Tableau Cloud, an attacker might try to use a clickjack attack to capture user credentials or to get an authenticated user to change settings. For more information about clickjack attacks, see Clickjacking(Link opens in a new window) on the Open Web Application Security Project website.
Enable in-frame authentication with your SAML IdP
As described above, a seamless authentication user experience with Salesforce Mobile requires IdP support for in-frame authentication. This functionality may also be referred to as “iframe embedding” or “framing protection” at IdPs.
Salesforce safelist domains
In some cases, IdPs only allow enabling in-frame authentication by domain. In those cases, set the following Salesforce wildcard domains when you enable in-frame authentication:
*.force
*.visualforce
Salesforce IdP
Salesforce IdP supports in-frame authentication by default. You do not need to enable or configure in-frame authentication in the Salesforce configuration.
Okta IdP
See Embed Okta in an iframe, in the Okta Help Centre topic, General customisation options(Link opens in a new window).
Ping IdP
See the Ping support topic, How to Disable the "X-Frame-Options=SAMEORIGIN" Header in PingFederate(Link opens in a new window).
OneLogin IdP
See Framing protection, in the OneLogin Knowledge Base article, Account Settings for Account Owners(Link opens in a new window).
ADFS and EntraID IdP
Microsoft has blocked all in-frame authentication and it cannot be enabled. Instead, Microsoft only supports pop-up authentication in a second window. As a result, pop up behaviour can be blocked by some browsers, which will require users to accept pop ups for the force.com
and visualforce.com
sites.
Salesforce Mobile App
If your users primarily interact with Lightning on the Salesforce Mobile App, then you should be aware of the following scenarios:
- The Salesforce Mobile App requires that you configure SSO/SAML to view embedded Tableau.
- The Salesforce Mobile App requires in-frame authentication. Pop-up authentication does not work. Instead, users on the Salesforce Mobile App will see the Tableau sign-in button but will not be able to sign to Tableau.
- Mobile App will not work on ADFS and Azure AD IdP.
- Users with Android devices will be required to sign-in to view the embedded Tableau visualisation the first time, then SSO will work as expected.