Configure SAML with Okta


If you use Okta as your SAML identity provider (IdP), you can use the information in this topic to set up SAML authentication for your Tableau Cloud site. You can also use the How to Configure SAML 2.0 for Tableau Cloud(Link opens in a new window) topic in the Okta documentation.

Tableau Cloud’s SAML integration with Okta supports service provider (SP)-initiated SSO, identity provider (IdP)-initiated SSO, and single logout (SLO).

Notes: 

  • These steps reflect a third-party application and are subject to change without our knowledge. If the steps described here do not match the screens you see in your IdP account, you can use the general SAML configuration steps, along with the IdP’s documentation.
  • Beginning February 2022, multi-factor authentication (MFA) through your SAML SSO identity provider (IdP) is a Tableau Cloud requirement.
  • The configuration steps in the IdP may be in a different order than what you see in Tableau Cloud.

Step 1: Get started

In Tableau Cloud, do the following:

  1. Sign in to your Tableau Cloud site as a site administrator, and select Settings > Authentication.

  2. On the Authentication tab, click the New Configuration button, select SAML from the Authentication drop-down, and then enter a name for the configuration.

    Screen shot of Tableau Cloud site authentication settings -- new configuration page

    Note: Configurations created before November 2024 (Tableau 2024.3) can't be renamed.

In the Okta administrator console, do the following: 

  1. Open a new browser tab or window and sign in to your Okta administrator console.

  2. From the left pane, select Applications > Applications and click the Browse App Catalog button.

  3. Search for and click "Tableau Cloud" and then click the Add Integration button. This opens the General Settings tab.

  4. (Optional) If you have more than one Tableau Cloud site, edit the site name in the Application label field to help you differentiate between your Tableau Cloud application instances.

  5. Navigate to the Sign On tab, click Edit, and do the following:

    1. Under Metadata details, copy the Metadata URL.

    2. Paste the URL into a new browser and save the results as a file using the default "metadata.xml".

Step 2: Configure SAML in Tableau Cloud

Complete the following procedure after you save the SAML metadata file from Okta, as described in the section above.

  1. Back in Tableau Cloud, on the New Configuration page, under 2. Upload metadata to Tableau, click the Choose a file button and navigate to the SAML metadata file you saved from Okta. This automatically fills the IdP entity ID and SSO Service URL values.

  2. Map the attribute names (assertions) under 3. Map attributes to the corresponding attribute names (assertions) in the Okta administrator console's Tableau Cloud User Profile Mappings page.

  3. Under 4. Choose default for embedding views (optional), select the experience you want to enable when users access embedded content. For more information, see the About enabling iFrame embedding section below.

  4. Click the Save and Continue button.

Step 3. Configure Tableau Cloud application in your IdP

The procedure in this section will use the information from 5. Get Tableau Cloud Metadata, under Method 2: Copy metadata and download certificate on the New Configuration page in Tableau Cloud.

  1. In the Okta administrator console, click the Assignments tab to add your users or groups.

  2. When finished, click Done.

  3. Click the Sign On tab and in the Settings section, click Edit.

  4. (Optional) If you want to enable single logout (SLO), do the following:

    1. Select the Enable Single Logout check box.

    2. Copy the "Single Logout URL" value from the Tableau Cloud metadata file. For example, <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://xxxx/public/sp/SLO/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"/>. For more information, see the Configure Single Logout Using SAML with Okta(Link opens in a new window) in the Tableau Knowledge Base.

    3. In the Advanced Sign-on Settings text box, enter the value you copied in step b.

    4. Next to Signature Certificate, click the Browse button and navigate to the certificate file you downloaded in the section above.

    5. Select the file and click the Upload button.

    6. When finished, click Save.

  5. Select Applications > Applications, click the Tableau Cloud application, select the Sign On tab, and do the following:

    1. Click Edit.

    2. Under Advanced Sign-on Settings, for the Tableau Cloud entity ID text box in the Okta administrator console, paste the Tableau Cloud entity ID value from Tableau Cloud.

    3. For the Tableau Cloud ACS URL text box in the Okta administrator console, pate the Tableau Cloud ACS URL value from Tableau Cloud.

    Note: The Tableau Cloud SAML configuration settings appear in a different order than on the Okta settings page. To prevent SAML authentication issues, make sure that the Tableau Cloud entity ID and Tableau Cloud ACS URL are entered into the correct fields in Okta.

  6. When finished, click Save.

Step 4: Test the SAML configuration in Tableau Cloud

In Okta, do the following:

  • Add a sample user to Okta and assign them to the Tableau Cloud application.

In Tableau Cloud, do the following:

  1. Add that Okta user to Tableau Cloud to test the SAML configuration. To add users in Tableau Cloud, see the Add Users to a Site topic.

  2. On the New Configuration page, under 7. Test Configuration, click the Test Configuration button.

We highly recommend that you test the SAML configuration to avoid any locked out scenarios. Testing the configuration helps ensure that you have configured SAML correctly before changing the authentication type of your users to SAML. To test the configuration successfully, make sure that there is at least one user who you can sign in as who is already provisioned in the IdP and added to your Tableau Cloud with SAML authentication type configured.

Note: If the connection fails, consider keeping the NameID attribute in Tableau as-is.

Step 5: Add additional users to the SAML-enabled Tableau Cloud site

If you plan to use SCIM to provision your users from Okta, do not manually add your users to Tableau Cloud. For more information, see Configure Configure SCIM with Okta. If you are not using SCIM, then use the steps below to add additional users to your site.

The procedure described in this section is performed on the Tableau Cloud's Users page.

  1. After you complete the steps above, from the left pane, navigate to the Users page.

  2. Follow the procedure described in Add Users to a Site topic.

About enabling iFrame embedding

When you enable SAML on your site, you need to specify how users sign in to access views embedded in web pages. These steps configure Okta to allow authentication using an inline frame (iFrame) for embedded visualization. Inline frame embedding may provide a more seamless user experience when signing on to view embedded visualizations. For example, if a user is already authenticated with your identity provider and iFrame embedding is enabled, the user would seamlessly authenticate with Tableau Cloud when browsing to pages that contain embedded visualizations.

Caution: IFrame can be vulnerable to a clickjack attack. Clickjacking is a type of attack against web pages in which the attacker tries to lure users into clicking or entering content by displaying the page to attack in a transparent layer over an unrelated page. In the context of Tableau Cloud, an attacker might try to use a clickjack attack to capture user credentials or to get an authenticated user to change settings. For more information about clickjack attacks, see Clickjacking(Link opens in a new window) on the Open Web Application Security Project website.

  1. Sign in to your Okta administrator console.

  2. From the left pane, select Customizations > Other and navigate to the IFrame Embedding section.

  3. Click Edit, select the Allow iFrame embedding check box, and then click Save.

Back to top
Thanks for your feedback!Your feedback has been successfully submitted. Thank you!