Configure SAML for Tableau Viz Lightning Web Component
Tableau provides a Lightning Web Component (LWC) for embedding a Tableau visualization within a Salesforce Lightning page.
This topic describes how to enable a SSO experience for embedded Tableau visualizations in a Salesforce Lightning page. SSO for the Tableau Viz LWC scenario requires SAML configuration. The SAML IdP used for Tableau authentication must be either the Salesforce IdP or same IdP that is used for your Salesforce instance.
In this scenario, Salesforce administrators can drag-and-drop Tableau Viz LWC into the Lightning page to embed a visualization. Any view that is available to them on Tableau
When single sign-on (SSO) is configured for Tableau Viz LWC on Tableau
When SSO is not configured, then users will need to reauthenticate with Tableau
- The SAML IdP used for Tableau authentication must be either the Salesforce IdP or same IdP that is used for your Salesforce instance.
- SAML must be configured on Tableau Online. See Enable SAML Authentication on a Site.
- SAML must be configured for Salesforce.
- Install the Tableau Viz Lightening Web Component. See Embed Tableau Views into Salesforce(Link opens in a new window).
Configuring the authentication workflow
You may need to make additional configurations to optimize the sign-in experience for users who access Lightning with embedded Tableau views.
If a seamless authentication user experience is important, then you will need to make some additional configurations. In this context, “seamless” means that users who access the Salesforce Lightning page where Tableau Viz LWC SSO has been enabled, will not be required to perform any action to view the embedded Tableau view. In the seamless scenario, if the user is logged into Salesforce, then embedded Tableau views will be displayed with no additional user action. This scenario is enabled by in-frame authentication.
For a seamless user experience you will need to enable in-frame authentication on Tableau
On the other hand, there are scenarios where users are interacting with the Lightning page that will require them to click a “Sign in” button to view the embedded Tableau view. This scenario, where a user must take another action to view the embedded Tableau view, is called pop-up authentication.
Pop-up authentication is the default user experience if you do not enable in-frame authentication.
Enable in-frame authentication on Tableau Online
Before you enable in-frame authentication on Tableau Online, you must have already configured and enabled SAML.
Sign in to your Tableau Online site as a site administrator, and select Settings > Authentication.
On the Authentication tab, select Enable an additional authentication method, select SAML, and then select Edit connection.
Scroll down to Embedding options and select Authenticate using an inline frame.
Caution: Inline frames can be vulnerable to a clickjack attack. Clickjacking is a type of attack against web pages in which the attacker tries to lure users into clicking or entering content by displaying the page to attack in a transparent layer over an unrelated page. In the context of Tableau Online, an attacker might try to use a clickjack attack to capture user credentials or to get an authenticated user to change settings. For more information about clickjack attacks, see Clickjacking(Link opens in a new window) on the Open Web Application Security Project website.
Enable in-frame authentication with your SAML IdP
As described above, a seamless authentication user experience with Salesforce Mobile requires IdP support for in-frame authentication. This functionality may also be referred to as “iframe embedding” or “framing protection” at IdPs.
Salesforce safelist domains
In some cases, IdPs only allow enabling in-frame authentication by domain. In those cases, set the following Salesforce wildcard domains when you enable in-frame authentication:
Salesforce IdP supports in-frame authentication by default. You do not need to enable or configure in-frame authentication in the Salesforce configuration.
See Embed Okta in an iframe, in the Okta Help Center topic, General customization options(Link opens in a new window).
See the Ping support topic, How to Disable the "X-Frame-Options=SAMEORIGIN" Header in PingFederate(Link opens in a new window).
See Framing protection, in the OneLogin Knowledge Base article, Account Settings for Account Owners(Link opens in a new window).
ADFS and Azure AD IdP
Microsoft has blocked all in-frame authentication and it cannot be enabled. Instead, Microsoft only supports pop-up authentication in a second window. As a result, pop up behavior can be blocked by some browsers, which will require users to accept pop ups for the
Salesforce Mobile App
If your users primarily interact with Lightning on the Salesforce Mobile App, then you should be aware of the following scenarios:
- The Salesforce Mobile App requires that you configure SSO/SAML to view embedded Tableau.
- The Salesforce Mobile App requires in-frame authentication. Pop-up authentication does not work. Instead, users on the Salesforce Mobile App will see the Tableau sign-in button but will not be able to sign to Tableau.
- Mobile App will not work on ADFS and Azure AD IdP.
- Users with Android devices will be required to sign-in to view the embedded Tableau visualization the first time, then SSO will work as expected.