Configure SAML with AD FS


You can configure Active Directory Federation Services (AD FS) as a SAML identity provider, and add Tableau Cloud to your supported single sign-on applications. When you integrate AD FS with SAML and Tableau Cloud, your users can sign in to Tableau Cloud using their standard network credentials.

Notes: 

  • These steps reflect a third-party application and are subject to change without our knowledge. If the steps described here do not match the screens you see in your IdP account, you can use the general SAML configuration steps, along with the IdP’s documentation.
  • Beginning February 2022, multi-factor authentication (MFA) through your SAML SSO identity provider (IdP) is a Tableau Cloud requirement.
  • The configuration steps in the IdP may be in a different order than what you see in Tableau Cloud.

Prerequisites

Before you can configure Tableau Cloud and SAML with AD FS, your environment must have the following:

  • A server running Microsoft Windows Server 2008 R2 (or later) with AD FS 2.0 (or later) and IIS installed.

  • We recommend that you secure your AD FS server (for example, using a reverse proxy). When your AD FS server is accessible from outside your firewall, Tableau Cloud can redirect users to the sign in page hosted by AD FS.

  • A site administrator account that uses Tableau with MFA authentication. If SAML single sign-on fails, you can still sign in to Tableau Cloud as a site administrator.

Step 1: Get started

In Tableau Cloud, do the following:

  1. Sign in to your Tableau Cloud site as a site administrator, and select Settings > Authentication.

  2. On the Authentication tab, click the New Configuration button, select SAML from the Authentication drop-down, and then enter a name for the configuration.

    Screen shot of Tableau Cloud site authentication settings -- new configuration page

    Note: Configurations created before November 2024 (Tableau 2024.3) can't be renamed.

In the AD FS, do the following:

The procedure below exports AD FS metadata that you’ll import to Tableau Cloud. You will also make sure the metadata is configured and encoded properly for Tableau Cloud, and verify other AD FS requirements for your SAML configuration.

  1. Export AD FS Federation metadata to an XML file, and then download the file from https://<adfs server name>/federationmetadata/2007-06/FederationMetadata.xml.

  2. Open the metadata file in a text editor like Sublime Text or Notepad++, and verify that it is correctly encoded as UTF-8 without BOM.

    If the file shows some other encoding type, save it from the text editor with the correct encoding.

  3. Verify that AD FS uses forms-based authentication. Sign-ins are performed in a browser window, so you need AD FS to default to this type of authentication.

    Edit c:\inetpub\adfs\ls\web.config, search for the tag , and move the line so it appears first in the list. Save the file so that IIS can automatically reload it.

    Note: If you don't see the c:\inetpub\adfs\ls\web.config file, IIS is not installed and configured on your AD FS server.

  4. Configure an additional AD FS relying party identifier. This allows your system to work around any AD FS issues with SAML logout.

    Do one of the following:

    Windows Server 2008 R2:

    1. In AD FS 2.0, right-click on the relying party you created for Tableau Cloud earlier, and click Properties.

    2. On the Identifiers tab, in the Relying party identifier box, enter https://<tableauservername>/public/sp/metadata and then click Add.

    Windows Server 2012 R2:

    1. In AD FS Management, in the Relying Party Trusts list, right-click on the relying party you created for Tableau Cloud earlier, and click Properties.

    2. On the Identifiers tab, in the Relying party identifier box, enter https://<tableauservername/public/sp/metadata and then click Add.

Step 2: Configure SAML in Tableau Cloud

Complete the following procedure after you save the SAML metadata file from AD FS, as described in the section above.

  1. Back in Tableau Cloud, on the New Configuration page, under 2. Upload metadata to Tableau, click the Choose a file button and navigate to the SAML metadata file (FederationMetadata.xml) you exported from AD FS. This automatically fills the IdP entity ID and SSO Service URL values.

  2. Skip 3. Map attributes because you will create a claim rule in AD FS to match the attribute names that Tableau Cloud expects in the section below.

  3. Under 4. Choose default for embedding views (optional), select the experience you want to enable when users access embedded content.

  4. Click the Save and Continue button.

  5. Under 5. Get Tableau Cloud metadata, click the Export Metadata button and save the Tableau metadata file to your computer.

    By default, the file name is saml_sp_metadata.xml.

Step 3. Configure Tableau Cloud application in your IdP

Configuring AD FS to accept Tableau Cloud sign-in requests is a multi-step process, starting with importing the Tableau Cloud metadata file to AD FS.

  1. Do one of the following to open the Add Relying Party Trust Wizard:

    2. Windows Server 2008 R2:

    1. Select Start menu> to Administrative Tools> AD FS 2.0.

    2. In AD FS 2.0, under Trust Relationships, right-click the Relying Party Trusts folder, and then click Add Relying Party Trust.

    Windows Server 2012 R2:

    1. Open Server Manager, and then on the Tools menu, click AD FS Management.

    2. In AD FS Management, on the Action menu, click Add Relying Party Trust.

  2. In the Add Relying Party Trust Wizard, click Start.

  3. On the Select Data Source page, select Import data about the relying party from a file, and then click Browse to locate your Tableau Cloud metadata file.

    By default, the file name is saml_sp_metadata.xml.

  4. Click Next, and on the Specify Display Name page, type a name and description for the relying party trust in the Display name and Notes boxes.

  5. Click Next to skip the Configure Multi-factor Authentication Now page.

  6. Click Next to skip the Choose Issuance Authorization Rules page.

  7. Click Next to skip the Ready to Add Trust page.

  8. On the Finish page, select the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes check box, and then click Close.

Next, you’ll work in the Edit Claim Rules dialog, to add a rule that makes sure the assertions sent by AD FS match the assertions Tableau Cloud expects. At a minimum, Tableau Cloud needs a username (in email address format). However, including first and last names in addition to email will ensure the user names displayed in Tableau Cloud are the same as those in your AD account.

  1. In the Edit Claim Rules dialog box, click Add Rule.

  2. On the Choose Rule Type page, for Claim rule template, select Send LDAP Attributes as Claims, and then click Next.

  3. On the Configure Claim Rule page, for Claim rule name, enter a name for the rule that makes sense to you.

  4. For Attribute store, select Active Directory, complete the mapping as shown below, and then click Finish.

    5. The mapping is case sensitive and requires exact spelling, so double-check your entries. The table here shows common attributes and claim mappings. Verify attributes with your specific Active Directory configuration.

    Note: Tableau Cloud requires the NameID attribute in the SAML response. You can provide other attributes to map user names in Tableau Cloud, but the response message must include the NameID attribute.

    LDAP Attribute Outgoing Claim Type

    Depending on the version of AD FS:

    User-Principal-Name
    or
    E-Mail-Addresses

     

    email
    or
    E-Mail Address
    Given-Name firstName
    Surname lastName

If you are running AD FS 2016 or later, then you must add a rule to pass through all claim values. If you are running an older version of AD FS, skip to the next procedure to export AD FS metadata.

  1. Click Add Rule.
  2. Under Claim rule template, choose Pass Through or Filter an Incoming Claim.
  3. Under Claim rule name, enter Windows.
  4. On the Edit Rule - Windows pop-up:
    • Under Incoming claim type, select Windows account name.
    • Select Pass through all claim values.
    • Click OK.

In Tableau Cloud, do the following:

  1. Go back to Tableau Cloud, on the New Configuration page, under 3. Map attributes, populate the claim values from AD FS in Tableau Cloud.

  2. Click the Save and Continue button.

Step 4: Test the SAML configuration in Tableau Cloud

  1. In Tableau Cloud, add a sample user to both ADFS and Tableau Cloud to test the SAML configuration. To add users in Tableau Cloud, see Add Users to a Site topic.

  2. Go back to the New Configuration page, under 7. Test configuration, click the Test Configuration button.

We highly recommend that you test the SAML configuration to avoid any locked out scenarios. Testing the configuration helps ensure that you have configured SAML correctly before changing the authentication type of your users to SAML. To test the configuration successfully, make sure that there is at least one user who you can sign in as who is already provisioned in the IdP and added to your Tableau Cloud with SAML authentication type configured.

Step 5: Add additional users to the SAML-enabled Tableau Cloud site

Use the steps below to add additional users to your site. The procedure described in this section is performed on the Tableau Cloud’s Users page.

  1. After you complete the steps above, from the left pane, navigate to the Users page.

  2. Follow the procedure described in Add Users to a Site topic. Alternatively, you can add users using a .csv file by following the procedure described in Import Users topic.

Additional requirements and tips for SAML support with AD FS

  • After you set up SAML integration between AD FS and Tableau Cloud, you must update Tableau Cloud to reflect particular user changes you make in Active Directory. For example, adding or removing users.

    You can add users automatically or manually:

    • To add users automatically: Create a script (using PowerShell, Python, or batch file) to push AD changes to Tableau Cloud. The script can use tabcmd or the REST API to interact with Tableau Cloud.

    • To add users manually: Sign in to the Tableau Cloud web UI, go to the Users page, click Add Users, and enter users’ username or upload a CSV file that contains their information.

    Note: If you want to remove a user but keep content assets they own, change the owner of the content before you remove the user. Deleting a user also deletes content they own.

  • In Tableau Cloud, a user’s username is their unique identifier. As described in the steps for configuring AD FS to accept sign-in requests from Tableau Cloud, users’ Tableau Cloud usernames must match the username stored in AD.

  • In Step 3. Configure Tableau Cloud application in your IdP, you added a claim rule in AD FS to match the first name, last name, and username attributes between AD FS and Tableau Cloud. Alternatively, you can use step 5. Map attributes in Tableau Cloud to do the same.

Back to top
Thanks for your feedback!Your feedback has been successfully submitted. Thank you!