SAML (Security Assertion Markup Language) is an XML standard that allows secure web domains to exchange user authentication and authorization data. You can configure Tableau Online to use an external identity provider (IdP) to authenticate users over SAML 2.0. No user credentials are stored with Tableau Online, and using SAML enables you to add Tableau to your organization’s single sign-on environment. Tableau Online supports all SAML 2.0 features including multi-factor authentication (MFA), forcing password change on first login, password complexity requirements, account lockout, and more.
User authentication through SAML does not apply to permissions and authorization for Tableau Online content, such as data sources and workbooks. It also does not control access to underlying data that workbooks and data sources connect to.
Note: Tableau Online supports both service provider initiated and IdP initiated SAML in browsers only. Connections from Tableau Desktop or the Tableau Mobile app require that the SAML request be service provider initiated.
The following image shows the steps to authenticate a user with single sign-on in a typical service provider initiated flow:
User navigates to the Tableau Online sign-in page or a published workbook.
Tableau Online starts the authentication process and redirects the request to the registered IdP.
The IdP requests the user’s username and password and authenticates the user to the IdP.
The IdP returns a SAML success response to Tableau Online.
Tableau Online verifies that the username in the response matches what is stored in Tableau and displays the page the user requested in Step 1.