Configure SAML with AD FS

You can configure Active Directory Federation Services (AD FS) as a SAML identity provider, and add Tableau Online to your supported single sign-on applications. When you integrate AD FS with SAML and Tableau Online, your users can sign in to Tableau Online using their standard network credentials.

Note: These steps reflect a third-party application and are subject to change without our knowledge. If the steps described here do not match the screens you see in your IdP account, you can use the general SAML configuration steps, along with the IdP’s documentation.

Prerequisites

Before you can configure Tableau Online and SAML with AD FS, your environment must have the following:

  • A server running Microsoft Windows Server 2008 R2 (or later) with AD FS 2.0 (or later) and IIS installed.

  • We recommend that you secure your AD FS server (for example, using a reverse proxy). When your AD FS server is accessible from outside your firewall, Tableau Online can redirect users to the sign in page hosted by AD FS.

  • A site administrator account that uses TableauID authentication. If SAML single sign-on fails, you can still sign in to Tableau Online as a site administrator.

Step 1: Export metadata from Tableau Online

  1. Sign in to Tableau Online as a site administrator.

    If you have more than one site for Tableau Online, select the site for which you want to enable SAML in the sites drop-down.

  2. Select Settings > Authentication.
  3. On the Authentication tab, select Enable an additional authentication method, select SAML, and then click Edit Connection.

    Authetication settings

  4. Under step 1, Export metadata from Tableau Online, click Export metadata to download an XML file that contains the Tableau Online SAML entity ID, Assertion Consumer Service (ACS) URL, and X.509 certificate.

Step 2: Configure AD FS to accept sign-in requests from Tableau Online

Configuring AD FS to accept Tableau Online sign-in requests is a multi-step process, starting with importing the Tableau Online XML metadata file to AD FS.

  1. Do one of the following to open the Add Relying Party Trust Wizard:

  2. Windows Server 2008 R2:

    1. Select Start menu> to Administrative Tools> AD FS 2.0.

    2. In AD FS 2.0, under Trust Relationships, right-click the Relying Party Trusts folder, and then click Add Relying Party Trust.

    Windows Server 2012 R2:

    1. Open Server Manager, and then on the Tools menu, click AD FS Management.

    2. In AD FS Managment, on the Action menu, click Add Relying Party Trust.

  3. In the Add Relying Party Trust Wizard, click Start.

  4. On the Select Data Source page, select Import data about the relying party from a file, and then click Browse to locate your Tableau Online XML metadata file. By default, this file is named samlspmetadata.xml.

  5. Click Next, and on the Specify Display Name page, type a name and description for the relying party trust in the Display name and Notes boxes.

  6. Click Next to skip the Configure Multi-factor Authentication Now page.

  7. Click Next to skip the Choose Issuance Authorization Rules page.

  8. Click Next to skip the Ready to Add Trust page.

  9. On the Finish page, select the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes check box, and then click Close.

Next, you’ll work in the Edit Claim Rules dialog, to add a rule that makes sure the assertions sent by AD FS match the assertions Tableau Online expects. At a minimum, Tableau Online needs an email address. However, including first and last names in addition to email will ensure the user names displayed in Tableau Online are the same as those in your AD account.

  1. In the Edit Claim Rules dialog box, click Add Rule.

  2. On the Choose Rule Type page, for Claim rule template, select Send LDAP Attributes as Claims, and then click Next.

  3. On the Configure Claim Rule page, for Claim rule name, enter a name for the rule that makes sense to you.

  4. For Attribute store, select Active Directory, complete the mapping as shown below, and then click Finish.

  5. The mapping is case sensitive and requires exact spelling, so double-check your entries. The table here shows common attributes and claim mappings. Verify attributes with your specific Active Directory configuration.

    LDAP Attribute Outgoing Claim Type
    User-Principal-Name email
    Given-Name firstName
    Surname lastName

If you are running AD FS 2016 or later, then you must add a rule to pass through all claim values. If you are running an older version of AD FS, skip to the next procedure to export AD FS metadata.

  1. Click Add Rule.
  2. Under Claim rule template, choose Pass Through or Filter an Incoming Claim.
  3. Under Claim rule name, enter Windows.
  4. On the Edit Rule - Windows pop-up:
    • Under Incoming claim type, select Windows account name.
    • Select Pass through all claim values.
    • Click OK.

Now you will export AD FS metadata that you’ll import to Tableau Online later. You will also make sure the metadata is configured and encoded properly for Tableau Online, and verify other AD FS requirements for your SAML configuration.

  1. Export AD FS Federation metadata to an XML file, and then download the file from https://<adfs server name>/FederationMetadata/2007-06/FederationMetadata.xml.

  2. Open the metadata file in a text editor like Sublime Text or Notepad++, and verify that it is correctly encoded as UTF-8 without BOM.

    If the file shows some other encoding type, save it from the text editor with the correct encoding.

  3. Verify that AD FS uses forms-based authentication. Sign-ins are performed in a browser window, so you need AD FS to default to this type of authentication.

    Edit c:\inetpub\adfs\ls\web.config, search for the tag , and move the line so it appears first in the list. Save the file so that IIS can automatically reload it.

    Note: If you don't see the c:\inetpub\adfs\ls\web.config file, IIS is not installed and configured on your AD FS server.

  4. Configure an additional AD FS relying party identifier. This allows your system to work around any AD FS issues with SAML logout.

    Do one of the following:

    Windows Server 2008 R2:

    1. In AD FS 2.0, right-click on the relying party you created for Tableau Online earlier, and click Properties.

    2. On the Identifiers tab, in the Relying party identifier box, enter https://<tableauservername>/public/sp/metadata and then click Add.

    Windows Server 2012 R2:

    1. In AD FS Management, in the Relying Party Trusts list, right-click on the relying party you created for Tableau Online earlier, and click Properties.

    2. On the Identifiers tab, in the Relying party identifier box, enter https://<tableauservername/public/sp/metadata and then click Add.

    Note: AD FS can be used with Tableau Server for a single relying party to the same instance. AD FS cannot be used for multiple relying parties to the same instance, for example, multiple site-SAML sites or server-wide and site SAML configurations.

  5. Turn off AD FS assertion encryption for the relying party. Tableau Online does not currently support assertion encryption.

    On the AD FS server, use Windows PowerShell to run the following command, replacing <MyRelyingPartyName> in the example command below to the name of the ADFS relying party display name:

    Set-ADFSRelyingPartyTrust -TargetName <MyRelyingPartyName> -EncryptClaims 0

    Note: If you receive the error Set-ADFSRelyingPartyTrust Cmdlet cannot be found, you must add the AD FS PowerShell snap-in. At the command prompt type: Add-PSSnapin Microsoft.Adfs.PowerShell, and then repeat this step.

Step 3: Import the AD FS metadata to Tableau Online

  1. In Tableau Online, go back to the SettingsAuthentication page.

  2. Under 4 Import metadata file into Tableau Online, in the IdP metadata file box, specify the name of the file you exported from AD FS (FederationMetadata.xml).

  3. Skip 5. Match attributes.

    You’ve already created a claim rule in AD FS to match the attribute names to what Tableau Online expects.

  4. Under 6. Manage users, do one of the following: 

    • If you haven’t added Tableau Online users yet, click Add users.

      You can then add users manually using the form, or import a CSV file that contains user information.

    • If you have added users to your site already, click Select users.

      Select the check box next to the users you want to allow to use SAML sign-in, and then on the Actions menu select Authentication. Change the authentication method to SAML.

  5. (Optional) Test SAML sign in, using the following steps:

    1. Open a private window or session in your web browser.

      For example, in Google Chrome, in the upper right corner of the window click Customize and control Google Chrome > New incognito window, and then navigate to https://online.tableau.com.

    2. Enter the email address of the user. Tableau Online will remove the password field if the user’s account is correctly set up for SAML authentication.

    3. Click Sign in, and on the AD FS sign-in page, enter your AD credentials.

      After you’re authenticated AD FS redirects you to Tableau Online.

Your Tableau Online site is now ready for users to sign in using AD FS and SAML. They still navigate to https://online.tableau.com, but after entering their email address, the page redirects to the AD FS sign-in page (as in the optional test step above), and prompts users for their AD credentials.

Note: If you get errors testing SAML sign-in, in step 7. Troubleshooting single sign-on (SSO) of the Tableau Online SAML configuration steps, click Download log file, and use the information there to troubleshoot the error.

Additional requirements and tips

  • After you set up SAML integration between AD FS and Tableau Online, you must update Tableau Online to reflect particular user changes you make in Active Directory. For example, adding or removing users.

    You can add users automatically or manually:

    • To add users automatically: Create a script (using PowerShell, Python, or batch file) to push AD changes to Tableau Online. The script can use tabcmd or the REST API to interact with Tableau Online.

    • To add users manually: Sign in to the Tableau Online web UI, go to the Users page, click Add Users, and enter users’ email addresses or upload a CSV file that contains their information.

    Note: If you want to remove a user but keep content assets they own, change the owner of the content before you remove the user. Deleting a user also deletes content they own.

  • In Tableau Online, a user’s email address is their unique identifier. As described in the steps for configuring AD FS to accept sign-in requests from Tableau Online, users’ Tableau Online email addresses must match the email address stored in AD.

  • In Step 2: Configure AD FS to accept sign-in requests from Tableau Online, you added a claim rule in AD FS to match the first name, last name, and email address attributes between AD FS and Tableau Online. Alternatively, you can use step 5. Match attributes in Tableau Online to do the same.

Thanks for your feedback! There was an error submitting your feedback. Please try again.