Configure SAML with AD FS

You can configure Active Directory Federation Services (AD FS) as a SAML identity provider, and add Tableau Cloud to your supported single sign-on applications. When you integrate AD FS with SAML and Tableau Cloud, your users can sign in to Tableau Cloud using their standard network credentials.

Notes: 

  • These steps reflect a third-party application and are subject to change without our knowledge. If the steps described here do not match the screens you see in your IdP account, you can use the general SAML configuration steps, along with the IdP’s documentation.
  • Beginning February 2022, multi-factor authentication (MFA) through your SAML SSO identity provider (IdP) is a Tableau Cloud requirement.

Prerequisites

Before you can configure Tableau Cloud and SAML with AD FS, your environment must have the following:

  • A server running Microsoft Windows Server 2008 R2 (or later) with AD FS 2.0 (or later) and IIS installed.

  • We recommend that you secure your AD FS server (for example, using a reverse proxy). When your AD FS server is accessible from outside your firewall, Tableau Cloud can redirect users to the sign in page hosted by AD FS.

  • A site administrator account that uses TableauID authentication. If SAML single sign-on fails, you can still sign in to Tableau Cloud as a site administrator.

Step 1: Export metadata from Tableau Cloud

  1. Sign in to Tableau Cloud as a site administrator.

    If you have more than one site for Tableau Cloud, select the site for which you want to enable SAML in the sites drop-down.

  2. Select Settings > Authentication.
  3. On the Authentication tab, select the Enable an additional authentication method check box, select SAML, and then click the Configuration (required) drop-down arrow.

    Authetication settings

  4. Under step 1, Method 1: Export metadata, click the Export Metadata button to download an XML file that contains the Tableau Cloud SAML entity ID, Assertion Consumer Service (ACS) URL, and X.509 certificate.

Step 2: Configure AD FS to accept sign-in requests from Tableau Cloud

Configuring AD FS to accept Tableau Cloud sign-in requests is a multi-step process, starting with importing the Tableau Cloud XML metadata file to AD FS.

  1. Do one of the following to open the Add Relying Party Trust Wizard:

  2. Windows Server 2008 R2:

    1. Select Start menu> to Administrative Tools> AD FS 2.0.

    2. In AD FS 2.0, under Trust Relationships, right-click the Relying Party Trusts folder, and then click Add Relying Party Trust.

    Windows Server 2012 R2:

    1. Open Server Manager, and then on the Tools menu, click AD FS Management.

    2. In AD FS Management, on the Action menu, click Add Relying Party Trust.

  3. In the Add Relying Party Trust Wizard, click Start.

  4. On the Select Data Source page, select Import data about the relying party from a file, and then click Browse to locate your Tableau Cloud XML metadata file. By default, this file is named samlspmetadata.xml.

  5. Click Next, and on the Specify Display Name page, type a name and description for the relying party trust in the Display name and Notes boxes.

  6. Click Next to skip the Configure Multi-factor Authentication Now page.

  7. Click Next to skip the Choose Issuance Authorization Rules page.

  8. Click Next to skip the Ready to Add Trust page.

  9. On the Finish page, select the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes check box, and then click Close.

Next, you’ll work in the Edit Claim Rules dialog, to add a rule that makes sure the assertions sent by AD FS match the assertions Tableau Cloud expects. At a minimum, Tableau Cloud needs an email address. However, including first and last names in addition to email will ensure the user names displayed in Tableau Cloud are the same as those in your AD account.

  1. In the Edit Claim Rules dialog box, click Add Rule.

  2. On the Choose Rule Type page, for Claim rule template, select Send LDAP Attributes as Claims, and then click Next.

  3. On the Configure Claim Rule page, for Claim rule name, enter a name for the rule that makes sense to you.

  4. For Attribute store, select Active Directory, complete the mapping as shown below, and then click Finish.

  5. The mapping is case sensitive and requires exact spelling, so double-check your entries. The table here shows common attributes and claim mappings. Verify attributes with your specific Active Directory configuration.

    Note: Tableau Cloud requires the NameID attribute in the SAML response. You can provide other attributes to map user names in Tableau Cloud, but the response message must include the NameID attribute.

    LDAP Attribute Outgoing Claim Type

    Depending on the version of AD FS:

    User-Principal-Name
    or
    E-Mail-Addresses

     

    email
    or
    E-Mail Address

    Given-Name firstName
    Surname lastName

If you are running AD FS 2016 or later, then you must add a rule to pass through all claim values. If you are running an older version of AD FS, skip to the next procedure to export AD FS metadata.

  1. Click Add Rule.
  2. Under Claim rule template, choose Pass Through or Filter an Incoming Claim.
  3. Under Claim rule name, enter Windows.
  4. On the Edit Rule - Windows pop-up:
    • Under Incoming claim type, select Windows account name.
    • Select Pass through all claim values.
    • Click OK.

Now you will export AD FS metadata that you’ll import to Tableau Cloud later. You will also make sure the metadata is configured and encoded properly for Tableau Cloud, and verify other AD FS requirements for your SAML configuration.

  1. Export AD FS Federation metadata to an XML file, and then download the file from https://<adfs server name>/federationmetadata/2007-06/FederationMetadata.xml.

  2. Open the metadata file in a text editor like Sublime Text or Notepad++, and verify that it is correctly encoded as UTF-8 without BOM.

    If the file shows some other encoding type, save it from the text editor with the correct encoding.

  3. Verify that AD FS uses forms-based authentication. Sign-ins are performed in a browser window, so you need AD FS to default to this type of authentication.

    Edit c:\inetpub\adfs\ls\web.config, search for the tag , and move the line so it appears first in the list. Save the file so that IIS can automatically reload it.

    Note: If you don't see the c:\inetpub\adfs\ls\web.config file, IIS is not installed and configured on your AD FS server.

  4. Configure an additional AD FS relying party identifier. This allows your system to work around any AD FS issues with SAML logout.

    Do one of the following:

    Windows Server 2008 R2:

    1. In AD FS 2.0, right-click on the relying party you created for Tableau Cloud earlier, and click Properties.

    2. On the Identifiers tab, in the Relying party identifier box, enter https://<tableauservername>/public/sp/metadata and then click Add.

    Windows Server 2012 R2:

    1. In AD FS Management, in the Relying Party Trusts list, right-click on the relying party you created for Tableau Cloud earlier, and click Properties.

    2. On the Identifiers tab, in the Relying party identifier box, enter https://<tableauservername/public/sp/metadata and then click Add.

    Note: AD FS can be used with Tableau Server for a single relying party to the same instance. AD FS cannot be used for multiple relying parties to the same instance, for example, multiple site-SAML sites or server-wide and site SAML configurations.

Step 3: Import the AD FS metadata to Tableau Cloud

  1. In Tableau Cloud, go back to the SettingsAuthentication.

  2. Under step 4. Upload metadata to Tableau, in the IdP metadata file box, specify the name of the file you exported from AD FS (FederationMetadata.xml).

  3. Skip step5. Match attributes.

    You’ve already created a claim rule in AD FS to match the attribute names to what Tableau Cloud expects.

  4. Click the Save Changes button.

  5. Manage users by doing one of the following:

    • If you haven’t added users to your site yet, from the left pane, navigate to the Users page and click Add users. You can then add users manually or import a CSV file that contains user information. For more information, see Add Users to a Site or Import Users.

    • If you have added users to your site already, from the left pane, navigate to the Users page, click the Actions next to a specific user, and click Authentication. Change the authentication method to SAML and click the Update button.

  6. (Optional) Go back to the Authentication page, test SAML sign in under 7. Test configuration by clicking the Test Configuration button.

    We highly recommend that you test the SAML configuration to avoid any locked out scenarios. Testing the configuration helps ensure that you have configured SAML correctly before changing the authentication type of your users to SAML. To test the configuration successfully, make sure that there is at least one user who you can sign in as who is already provisioned in the IdP and added to your Tableau Cloud with SAML authentication type configured.

Your Tableau Cloud site is now ready for users to sign in using AD FS and SAML. They still navigate to https://online.tableau.com, but after entering their username, the page redirects to the AD FS sign-in page (as in the optional test step above), and prompts users for their AD credentials.

Note: If you get errors testing SAML sign-in, in step 7. Test configuration of the Tableau Cloud SAML configuration steps, click Download Log, and use the information there to troubleshoot the error.

Additional requirements and tips

  • After you set up SAML integration between AD FS and Tableau Cloud, you must update Tableau Cloud to reflect particular user changes you make in Active Directory. For example, adding or removing users.

    You can add users automatically or manually:

    • To add users automatically: Create a script (using PowerShell, Python, or batch file) to push AD changes to Tableau Cloud. The script can use tabcmd or the REST API to interact with Tableau Cloud.

    • To add users manually: Sign in to the Tableau Cloud web UI, go to the Users page, click Add Users, and enter users’ username or upload a CSV file that contains their information.

    Note: If you want to remove a user but keep content assets they own, change the owner of the content before you remove the user. Deleting a user also deletes content they own.

  • In Tableau Cloud, a user’s username is their unique identifier. As described in the steps for configuring AD FS to accept sign-in requests from Tableau Cloud, users’ Tableau Cloud usernames must match the username stored in AD.

  • In Step 2: Configure AD FS to accept sign-in requests from Tableau Cloud, you added a claim rule in AD FS to match the first name, last name, and username attributes between AD FS and Tableau Cloud. Alternatively, you can use step 5. Match attributes in Tableau Cloud to do the same.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!