Enable SAML Authentication on a Site
This topic explains how to enable SAML on the site and select single sign-on users. It also provides steps for switching from SAML to the default Tableau (also known as TableauID) authentication. Before you enable SAML, we recommend that you review the SAML Requirements for Tableau Cloud, including Effects of changing authentication type on Tableau Bridge.
This topic assumes you are familiar with the information in Authentication and How SAML Authentication Works.
IdP-specific configuration information
The steps in the sections later in this topic provide basic steps that you can use with your IdP’s documentation to configure SAML for your Tableau Cloud site. You can get IdP-specific configuration steps for the following IdPs:
Enable SAML
Sign in to your Tableau Cloud site as a site administrator, and select Settings > Authentication.
On the Authentication tab, select Enable an additional authentication method, select SAML and then select Edit connection.
SAML configuration steps
This section takes you through the configuration steps that appear on the Authentication page in the Tableau Cloud web UI. In a self-hosted Tableau Server installation, this page appears only when support for site-specific SAML is enabled at the server level. It is enabled by default in Tableau Cloud.
Note: To complete this process, you will also need the documentation your IDP provides. Look for topics that refer to configuring or defining a service provider for a SAML connection, or adding an application.
To create the SAML connection between Tableau Cloud and your IdP, you need to exchange required metadata between the two services. To get metadata from Tableau Cloud, do either of the following steps. See the IdP’s SAML configuration documentation to confirm the correct option.
Select Export metadata to download an XML file that contains the Tableau Cloud SAML entity ID, Assertion Consumer Service (ACS) URL and X.509 certificate.
Select Download signing and encryption certificate if your IdP expects the required information in a different way. For example, if it wants you to enter the Tableau Cloud entity ID, ACS URL and X.509 certificate in separate locations.
The following image has been edited to show that these settings are the same in Tableau Cloud and Tableau Server.
For Step 2, to import the metadata you exported in step 1, sign in to your IdP account, and use the instructions provided by the IdP’s documentation to submit the Tableau Cloud metadata.
For Step 3, the IdP’s documentation will guide you also in how to provide metadata to a service provider. It will instruct you to download a metadata file, or it will display XML code. If it displays XML code, copy and paste the code into a new text file, and save the file with a .xml extension.
On the Authentication page in Tableau Cloud, import the metadata file that you downloaded from the IdP or configured manually from XML it provided.
Attributes contain authentication, authorisation and other information about a user. In the Identity Provider (IdP) Assertion Name column, provide the attributes that contain the information Tableau Cloud requires.
Note: Tableau Cloud requires the NameID attribute in the SAML response. You can provide other attributes to map usernames in Tableau Cloud, but the response message must include the NameID attribute.
Email: (Required) Enter the name of the attribute that stores users’ email addresses.
Display name: (Optional but recommended) Some IDPs use separate attributes for first and last names, and others store the full name in one attribute.
Select the button that corresponds to the way your IdP stores the names. For example, if the IdP combines first and last name in one attribute, select Display name, and then enter the attribute name.
Select the method by which users sign in to embedded views. The options are to open a separate pop-up window that displays the IdP’s sign-in form, or to use an inline frame (iframe).
Caution: Because iframes can be vulnerable to clickjacking attacks, not all IDPs support signing in through an iframe. With clickjacking, the attacker tries to lure users into clicking or entering content. They do this by displaying the page to attack in a transparent layer over an unrelated page. For Tableau Cloud, an attacker might try to capture user credentials or to get an authenticated user to change settings. For more information, see Clickjacking(Link opens in a new window) on the Open Web Application Security Project website.
If your IdP doesn’t support signing in through an iframe, select Authenticate in a separate pop-up window.
Start with the troubleshooting steps suggested on the Authentication page. If those steps do not resolve the issues, see Troubleshoot SAML.
Select existing Tableau Cloud users, or add new users you want to approve for single sign-on.
When you add or import users, you also specify their authentication type. On the Users page, you can change users’ authentication type any time after adding them.
For more information, see Add Users to a Site or Import Users.
Part of enabling SAML on your site is to specify how users access views embedded in web pages.
Allow users to choose their authentication type
When you select this, two sign-in options appear where a view is embedded: a sign-in button that uses single sign-on authentication and a link to use TableauID as an alternative.
Tip: With this option, users need to know which alternative to choose. As part of notification you send your users after you add them to the single sign-on site, let them know which type of authentication to use for a variety of sign-in scenarios. For example, embedded views, Tableau Desktop, Tableau Bridge, Tableau Mobile, and so on.
Tableau
This option requires users to sign in using a TableauID even if SAML is enabled on the site. Generally it’s reserved for
SAML
With this option, the way SAML users can sign in to embedded views is determined by the setting you select in step 6 above.
Use TableauID authentication
If a site is configured for SAML, you can change the site settings to require some or all users to sign in using TableauID credentials.
If you no longer want an identity provider to handle authentication for a site, or require all users to sign in with their TableauID credentials, you can change authentication type at the site level.
If you want to keep SAML enabled for some users, but require others to use TableauID, you can change authentication type at the user level.
For more information, see Set the User Authentication Type.
Change the site’s authentication type
Sign in to Tableau Cloud as a site administrator and select the site.
Select Settings > Authentication.
For Authentication Type, select TableauID.
After you make the SAML configuration inactive, the metadata and IdP information are preserved, so that if you want to enable it again, you do not need to set up the SAML connection with the IdP again.
Update SAML certificate
The certificate used for Tableau site metadata is provided by Tableau and not configurable. To update the certificate for SAML, you must upload a new certificate to your IdP and re-exchange the metadata with Tableau Cloud.
Sign in to the site as a site administrator, and select Settings > Authentication.
Under Authentication types, select Edit connection to expand the UI.
Open a new tab or window, and sign in to your IdP account.
Use the instructions provided by the IdP’s documentation to upload a new SAML certificate.
Download the new XML metadata file to provide to Tableau Cloud.
Return to the Authentication page in Tableau Cloud, and in Step 4 of the UI, import the metadata file that you downloaded from the IdP.
Click the Apply button.