Configure SAML with OneLogin

If you use OneLogin as your SAML identity provider (IdP), you can use the information in this topic to set up SAML authentication for your Tableau Cloud site.

These steps assume that you have permissions for modifying your organization’s OneLogin portal, and you are comfortable reading XML and pasting values into attributes.

Notes: 

  • These steps reflect a third-party application and are subject to change without our knowledge. If the steps described here do not match the screens you see in your IdP account, you can use the general SAML configuration steps, along with the IdP’s documentation.
  • Beginning February 2022, multi-factor authentication (MFA) through your SAML SSO identity provider (IdP) is a Tableau Cloud requirement.

Step 1: Open the Tableau Cloud SAML Settings

  1. Sign in to your Tableau Cloud site as a site admin, and select Settings > Authentication.

  2. On the Authentication tab, select the Enable an additional authentication method check box, select SAML, and then click the Configuration (required) drop-down arrow.

Step 2: Add Tableau Cloud to your OneLogin applications

  1. Open a new browser tab or window, and sign in to your OneLogin admin portal and do the following:

    1. On the Applications page, select Add Apps. Search for Tableau, and in the results, select Tableau Cloud SSO. In this area you configure the SAML connection.

      Note: The Tableau Cloud SSO option for OneLogin does not work with Tableau Server.

    2. On the Info page, set up your portal preferences. If you have more than one Tableau Cloud site, include the site name in the Display Name field to help users know which site to select.
  2. On the Configuration page in the OneLogin admin portal, you will use information from step 1, Method 2: Copy metadata and download certificate in the Tableau Cloud Authentication page.

    1. For Consumer URL, select and copy the Tableau Cloud ACS URL.

      Return to OneLogin and paste the URL into the Consumer URL field.

    2. For Audience, copy and paste the Tableau Cloud Entity ID.

  3. On the SSO page in the Onelogin admin portal, select SHA-256 for the SAML Signature Algorithm.

  4. On the Parameters page in the Onelogin admin portal, make sure the values appear as follows:

    Tableau Cloud field Value
    Username Email
    First Name First Name
    Last Name Last Name

Step 4: Test the SAML configuration in Tableau Cloud

In OneLogin, do the following:

  • Add a sample user to OneLogin and assign them to the Tableau Cloud application.

In Tableau Cloud, do the following:

  1. Add that OneLogin user to Tableau Cloud to test the SAML configuration with. To add users in Tableau Cloud, see the Add Users to a Site topic.

  2. Under 7. Test configuration, click the Test Configuration button.

Step 3: Configure OneLogin metadata for Tableau Cloud

For the following steps, you'll find and configure OneLogin information for Tableau Cloud to complete the SAML configuration.

  1. While still in the OneLogin admin portal, on the SSO page, select and copy the URI shown in the SLO Endpoint (HTTP) field.

    Note: Although the label indicates HTTP, the URI provided is an https address, because the SLO (single logout) endpoint uses SSL/TLS encryption.

  2. On the same page, select More ActionsSAML Metadata, and save the file to your computer.

    You will import this file to Tableau Cloud in the next section.

Step 4: Complete the SAML configuration

  1. On Tableau Cloud's Authentication page, do the following:

    1. For 4. Upload metadata to Tableau import the OneLogin metadata file you saved in the previous section.

      Important: If you encounter any issues with uploading the OneLogin metadata file, consider using a non-default certificate with OneLogin. To create a new certificate, from the Onelogin admin portal, select Security > Certificates. If you create a new certificate, ensure the Tableau Cloud application in OneLogin uses this new certificate.

    2. For 5. Match attributes, set the values as follows:

      • Username: Email
      • Select the First and last name radio button.
      • First name: FirstName
      • Last name: LastName

    3. For 6. Choose default for embedding views (optional), select the experience you want to enable when users access embedded content. For more information, see the (Optional) Enable iFrame embedding section below.

    4. Click the Save Changes button.

    5. For 7. Test Configuration, click the Test Configuration button. We highly recommend that you test the SAML configuration to avoid any locked out scenarios. Testing the configuration helps ensure that you have configured SAML correctly before changing the authentication type of your users to SAML. To test the configuration successfully, make sure that there is at least one user who you can sign in as who is already provisioned in the IdP and added to your Tableau Cloud with SAML authentication type configured.

Step 5: Add users to the SAML-enabled Tableau site

The steps described in this section are performed on the Tableau Cloud’s Users page.

  1. After you complete the steps above, return to your Tableau Cloud site.

  2. From the left pane, navigate to the Users page.

  3. Follow the procedure described in Add Users to a Site topic.

(Optional) Enable iFrame embedding

When you enable SAML on your site, you need to specify how users sign in to access views embedded in web pages. These steps configure OneLogin to allow your OneLogin dashboard to be embedded into an inline frame (iFrame) on another site. Inline frame embedding may provide a more seamless user experience when signing-on to view embedded visualizations. For example, if a user is already authenticated with your identity provider and iFrame embedding is enabled, the user would seamlessly authenticate with Tableau Cloud when browsing to pages that contain embedded visualizations.

Caution: Inline frames can be vulnerable to a clickjack attack. Clickjacking is a type of attack against web pages in which the attacker tries to lure users into clicking or entering content by displaying the page to attack in a transparent layer over an unrelated page. In the context of Tableau Cloud, an attacker might try to use a clickjack attack to capture user credentials or to get an authenticated user to change settings. For more information about clickjack attacks, see Clickjacking(Link opens in a new window) on the Open Web Application Security Project website.

  1. Open a new browser tab or window, and sign in to your OneLogin admin portal.

  2. On the Settings menu, click Account Settings.

  3. On the Basic page, in Framing Protection, select the Disable Framing Protection (X-Frame-Options) check box.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!