Configure SAML with Okta

If you use Okta as your SAML identity provider (IdP), you can use the information in this topic to set up SAML authentication for your Tableau Cloud site.

Note: These steps reflect a third-party application and are subject to change without our knowledge. If the steps described here do not match the screens you see in your IdP account, you can use the general SAML configuration steps, along with the IdP’s documentation.

Open the Tableau Cloud SAML settings

To configure the Okta application, you will need to use information in the Tableau Cloud SAML settings.

  1. Sign in to your Tableau Cloud site as a site administrator, and select Settings > Authentication.

  2. On the Authentication tab, select Enable an additional authentication method, select SAML and then select Edit connection.

    Screenshot of Tableau Cloud site authentication settings page

Add Tableau Cloud to your Okta applications

  1. Open a new browser tab or window, and sign in to your Okta administrator console.

  2. On the Applications tab, click the Add Application button. Search for Tableau, and then add the Tableau Cloud application. This opens the General Settings tab.

    Note: The Tableau Cloud application may appear as "Tableau Online" in the Okta administrator console.

  3. (Optional) If you have more than one Tableau Cloud site, include the site name in the Application label field, to help users know which site to select when they sign in.

  4. Click Done to open the Assignments tab.

  5. Click Assign > Assign to People and click the Assign button beside each user you want to approve for single sign-on access to Tableau Cloud.

  6. Click Done. Make sure users’ email addresses appear in the Username field.

  7. Select the Sign On tab. In the Settings section, click Edit.

  8. Switch to the tab or window where you opened the Tableau Cloud SAML configuration settings, and in Step 1 of those settings, select and copy the Tableau Cloud entity ID.

    Note: The Tableau Cloud SAML configuration settings appear in a different order than on the Okta settings page. To prevent SAML authentication issues, make sure that the Tableau Cloud entity ID and Assertion Consumer Service (ACS) URL are entered into the correct fields in Okta.

  9. Return to the Okta administrator console general settings, and paste the URL into the corresponding field.

  10. Repeat the previous two steps for the Assertion Consumer Service (ACS) URL. Click Save.

  11. Right-click Identity Provider Metadata and click Save link as to download the metadata XML file.

  12. Click View Setup Instructions and complete the steps to import the IdP metadata, provide the IdP entity ID and SSO service URL, and match email and display name attributes. Switch to the tab or window where you opened the Tableau Cloud SAML configuration settings. Note: When importing the Okta metadata file into Tableau Cloud, it might be necessary to refresh the page after clicking Apply to see the changes.

(Optional) Enable iFrame embedding

When you enable SAML on your site, you need to specify how users sign in to access views embedded in web pages. These steps configure Okta to allow authentication using an inline frame (iFrame) for embedded views. Inline frame embedding may provide a more seamless user experience when signing-on to view embedded visualisations. For example, if a user is already authenticated with your identity provider and iFrame embedding is enabled, the user would seamlessly authenticate with Tableau Server when browsing to pages that contain an embedded visualisations.

Caution: Inline frames can be vulnerable to a clickjack attack. Clickjacking is a type of attack against web pages in which the attacker tries to lure users into clicking or entering content by displaying the page to attack in a transparent layer over an unrelated page. In the context of Tableau Cloud, an attacker might try to use a clickjack attack to capture user credentials or to get an authenticated user to change settings. For more information about clickjack attacks, see Clickjacking(Link opens in a new window) on the Open Web Application Security Project website.

  1. Open a new browser tab or window, and sign in to your Okta administrator console.

  2. On the Home page, click Admin to open the Administrator Dashboard.

  3. On the Settings menu, click Customisation.

  4. Under iFrame Embedding, select Allow iFrame embedding.

Add users to the SAML-enabled Tableau site

  1. After you complete the Okta configuration steps, return to your Tableau Cloud site.

  2. Complete the SAML connection by adding the users you assigned in the Okta administrator console to Tableau Cloud.

Thanks for your feedback!