Configure SAML for Tableau Viz Lightning Web Component

Tableau provides a Lightning Web Component (LWC) for embedding a Tableau visualization within a Salesforce Lightning page.

This topic describes how to enable a SSO experience for embedded Tableau visualizations in a Salesforce Lightning page. SSO for the Tableau Viz LWC scenario requires SAML configuration. The SAML IdP used for Tableau authentication must be either the Salesforce IdP or same IdP that is used for your Salesforce instance.

In this scenario, Salesforce administrators can drag-and-drop Tableau Viz LWC into the Lightning page to embed a visualization. Any view that is available to them on Tableau Cloud can be displayed in the dashboard by entering the embedded URL to the view.

When single sign-on (SSO) is configured for Tableau Viz LWC on Tableau Cloud, the user experience is seamless: after the user signs into Salesforce, embedded Tableau views will work without further authentication to Tableau Cloud.

When SSO is not configured, then users will need to reauthenticate with Tableau Cloud to view embedded visualizations from Tableau Cloud.

Note: Users configured with Salesforce Authentication will need to reauthenticate with Tableau Cloud to view embedded visualizations in Tableau Cloud.

Requirements

Configuring the authentication workflow

You may need to make additional configurations to optimize the sign-in experience for users who access Lightning with embedded Tableau views.

If a seamless authentication user experience is important, then you will need to make some additional configurations. In this context, “seamless” means that users who access the Salesforce Lightning page where Tableau Viz LWC SSO has been enabled, will not be required to perform any action to view the embedded Tableau view. In the seamless scenario, if the user is logged into Salesforce, then embedded Tableau views will be displayed with no additional user action. This scenario is enabled by in-frame authentication.

For a seamless user experience you will need to enable in-frame authentication on Tableau Cloud and at your IdP. The sections below describe how to configure in-frame authentication.

On the other hand, there are scenarios where users are interacting with the Lightning page that will require them to click a “Sign in” button to view the embedded Tableau view. This scenario, where a user must take another action to view the embedded Tableau view, is called pop-up authentication.

Pop-up authentication is the default user experience if you do not enable in-frame authentication.

Enable in-frame authentication on Tableau Cloud

Before you enable in-frame authentication on Tableau Cloud, you must have already configured and enabled SAML.

  1. Sign in to your Tableau Cloud site as a site administrator, and select Settings > Authentication.

  2. On the Authentication tab, select the Enable an additional authentication method check box, select SAML, and then click the Configuration (required)drop-down arrow.

  3. Navigate down to Embedding options and select the Authenticate using an inline frame radio button.

Caution: Inline frames can be vulnerable to a clickjack attack. Clickjacking is a type of attack against web pages in which the attacker tries to lure users into clicking or entering content by displaying the page to attack in a transparent layer over an unrelated page. In the context of Tableau Cloud, an attacker might try to use a clickjack attack to capture user credentials or to get an authenticated user to change settings. For more information about clickjack attacks, see Clickjacking(Link opens in a new window) on the Open Web Application Security Project website.

Enable in-frame authentication with your SAML IdP

As described above, a seamless authentication user experience with Salesforce Mobile requires IdP support for in-frame authentication. This functionality may also be referred to as “iframe embedding” or “framing protection” at IdPs.

Salesforce safelist domains

In some cases, IdPs only allow enabling in-frame authentication by domain. In those cases, set the following Salesforce wildcard domains when you enable in-frame authentication:

*.force

*.visualforce

Salesforce IdP

Salesforce IdP supports in-frame authentication by default. You do not need to enable or configure in-frame authentication in the Salesforce configuration. However, you must configure Tableau Cloud for in-frame authentication as described above.

Okta IdP

See Embed Okta in an iframe, in the Okta Help Center topic, General customization options(Link opens in a new window).

Ping IdP

See the Ping support topic, How to Disable the "X-Frame-Options=SAMEORIGIN" Header in PingFederate(Link opens in a new window).

OneLogin IdP

See Framing protection, in the OneLogin Knowledge Base article, Account Settings for Account Owners(Link opens in a new window).

ADFS and EntraID IdP

Microsoft has blocked all in-frame authentication and it cannot be enabled. Instead, Microsoft only supports pop-up authentication in a second window. As a result, pop up behavior can be blocked by some browsers, which will require users to accept pop ups for the force.com and visualforce.com sites.

Salesforce Mobile App

If your users primarily interact with Lightning on the Salesforce Mobile App, then you should be aware of the following scenarios:

  • The Salesforce Mobile App requires that you configure SSO/SAML to view embedded Tableau.
  • The Salesforce Mobile App requires in-frame authentication. Pop-up authentication does not work. Instead, users on the Salesforce Mobile App will see the Tableau sign-in button but will not be able to sign to Tableau.
  • Mobile App will not work on ADFS and Azure AD IdP.
  • Users with Android devices will be required to sign-in to view the embedded Tableau visualization the first time, then SSO will work as expected.
Thanks for your feedback!Your feedback has been successfully submitted. Thank you!