Configure SAML with OneLogin

If you use OneLogin as your SAML identity provider (IdP), you can use the information in this topic to set up SAML authentication for your Tableau Online site.

These steps assume that you have permissions for modifying your organization’s OneLogin portal, and you are comfortable reading XML and pasting values into attributes.

Note: These steps reflect a third-party application and are subject to change without our knowledge. If the steps described here do not match the screens you see in your IdP account, you can use the general SAML configuration steps, along with the IdP’s documentation.

Open the Tableau Online SAML Settings

  1. Sign in to your Tableau Online site as a site administrator, and select Settings > Authentication.

  2. On the Authentication tab, select Enable an additional authentication method, select SAML, and then select Edit connection.

Add Tableau Online to your OneLogin applications

  1. Open a new browser tab or window, and sign in to your OneLogin administrator portal.

  2. On the Applications page, select Add Apps. Search for Tableau, and in the results, select Tableau Online SSO.

    In this area you configure the SAML connection.

  3. On the Info page, set up your portal preferences. If you have more than one Tableau Online site, include the site name in the Display Name field to help users know which site to select.

  4. On the Configuration page, you will use information from Step 1 on the SettingsAuthentication page in Tableau Online.

    1. For Consumer URL, on the Authentication page, select and copy the Assertion Consumer Service URL (ACS).

      Return to OneLogin and paste the URL into the Consumer URL field.

    2. For Audience, copy and paste the Tableau Online Entity ID from the Authentication page.

  5. On the SSO page, select SHA-256 for the SAML Signature Algorithm.

  6. On the Parameters page, make sure the values appear as follows:

    Tableau Online field Value
    Email Email
    Email (attribute) Email
    First Name First Name
    Last Name Last Name
  7. Return to the Tableau OnlineAuthentication page, and for step 5 Match assertions, set the values in the IdP Assertion Name column as follows:

    • Email: Email

    • Select the First name, Last name radio button.

    • First name: FirstName

    • Last name: LastName

Configure OneLogin metadata for Tableau Online

For these steps you will find and configure OneLogin information that you will take back to Tableau Online to complete the SAML configuration.

  1. On the SSO page, select and copy the URI shown in the SLO Endpoint (HTTP) field.

    Note: Although the label indicates HTTP, the URI provided is an https address, because the SLO (single logout) endpoint uses SSL/TLS encryption.

  2. On the same page, select More ActionsSAML Metadata, and save the file to your computer.

  3. Open the metadata file in a text or XML code editor, and within the IDPSSODescriptor element, add the following new element:

    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="slo-endpoint-https-uri-goes-here"/>

  4. For the Location attribute of the new element, within the quotation marks, paste the SLO endpoint value you copied in step 1 of this procedure.

    The following image shows a sample, with the new element highlighted in yellow, and using a placeholder 123456 in the Location value.

  5. Save the metadata file.

    You will import this file to Tableau Online in the next section.

Complete the SAML configuration

  1. On the Tableau OnlineAuthentication page, for step 4, import the OneLogin metadata file you saved in the previous section.

  2. Because you completed step 5 earlier, you can skip to steps 6 and 7, adding SAML users to your site and testing the connection.

(Optional) Enable iFrame embedding

When you enable SAML on your site, you need to specify how users sign in to access views embedded in web pages. These steps configure OneLogin to allow your OneLogin dashboard to be embedded into an inline frame (iFrame) on another site. Inline frame embedding may provide a more seamless user experience when signing-on to view embedded visualizations. For example, if a user is already authenticated with your identity provider and iFrame embedding is enabled, the user would seamlessly authenticate with Tableau Server when browsing to pages that contain an embedded visualizations.

Caution: Inline frames can be vulnerable to a clickjack attack. Clickjacking is a type of attack against web pages in which the attacker tries to lure users into clicking or entering content by displaying the page to attack in a transparent layer over an unrelated page. In the context of Tableau Online, an attacker might try to use a clickjack attack to capture user credentials or to get an authenticated user to change settings. For more information about clickjack attacks, see Clickjacking(Link opens in a new window) on the Open Web Application Security Project website.

  1. Open a new browser tab or window, and sign in to your OneLogin Administrator Portal.

  2. On the Settings menu, click Account Settings.

  3. On the Basic page, in Framing Protection, select the Disable Framing Protection (X-Frame-Options) checkbox.

Thanks for your feedback!