If you use OneLogin as your SAML identity provider (IdP), you can use the information in this topic to set up SAML authentication for your Tableau Cloud site.

These steps assume that you have permissions for modifying your organization’s OneLogin portal, and you are comfortable reading XML and pasting values into attributes.

Note: These steps reflect a third-party application and are subject to change without our knowledge. If the steps described here do not match the screens you see in your IdP account, you can use the general SAML configuration steps, along with the IdP’s documentation.

Step 1: Open the Tableau Cloud SAML Settings

  1. Sign in to your Tableau Cloud site as a site admin, and select Settings > Authentication.

  2. On the Authentication tab, select Enable an additional authentication method, select SAML, and then select Edit connection.

Step 2: Add Tableau Cloud to your OneLogin applications

  1. Open a new browser tab or window, and sign in to your OneLogin admin portal and do the following:

    1. On the Applications page, select Add Apps. Search for Tableau, and in the results, select Tableau Cloud SSO. In this area you configure the SAML connection.

      Note: The Tableau Cloud SSO option for OneLogin does not work with Tableau Server.

    2. On the Info page, set up your portal preferences. If you have more than one Tableau Cloud site, include the site name in the Display Name field to help users know which site to select.
  2. On the Configuration page in the OneLogin admin portal, you will use information from 1 Export metadata from Tableau Cloud in the Tableau Cloud Authentication.

    1. For Consumer URL, on Tableau Cloud's Authentication page, select and copy the Assertion Consumer Service URL (ACS).

      Return to OneLogin and paste the URL into the Consumer URL field.

    2. For Audience, copy and paste the Tableau Cloud Entity ID from Tableau Cloud's Authentication page.

  3. On the SSO page in the Onelogin admin portal, select SHA-256 for the SAML Signature Algorithm.

  4. On the Parameters page in the Onelogin admin portal, make sure the values appear as follows:

    Tableau Cloud field Value
    Email Email
    Email (attribute) Email
    First Name First Name
    Last Name Last Name

Step 3: Configure OneLogin metadata for Tableau Cloud

For the following steps, you'll find and configure OneLogin information for Tableau Cloud to complete the SAML configuration.

  1. While still in the OneLogin admin portal, on the SSO page, select and copy the URI shown in the SLO Endpoint (HTTP) field.

    Note: Although the label indicates HTTP, the URI provided is an https address, because the SLO (single logout) endpoint uses SSL/TLS encryption.

  2. On the same page, select More ActionsSAML Metadata, and save the file to your computer.

    You will import this file to Tableau Cloud in the next section.

Step 4: Complete the SAML configuration

  1. On Tableau Cloud's Authentication page, do the following:

    1. For 4 Import metadata file into Tableau Cloud, import the OneLogin metadata file you saved in the previous section.

      Important: If you encounter any issues with uploading the OneLogin metadata file, consider using a non-default certificate with OneLogin. To create a new certificate, from the Onelogin admin portal, select Security > Certificates. If you create a new certificate, ensure the Tableau Cloud application in OneLogin uses this new certificate.

    2. For 5 Match attributes, set the values in the IdP Assertion Name column as follows:

      • Email: Email
      • Select the First name, Last name radio button.
      • First name: FirstName
      • Last name: LastName

    3. For 6 Embedding options, select the experience you want to enable when users access embedded content. For more information, see the (Optional) Enable iFrame embedding section below

    4. Skip 7 Troubleshooting single sign-on (SSO) for now.

  2. Finally, add SAML users(Link opens in a new window) to your site and test the connection.

(Optional) Enable iFrame embedding

When you enable SAML on your site, you need to specify how users sign in to access views embedded in web pages. These steps configure OneLogin to allow your OneLogin dashboard to be embedded into an inline frame (iFrame) on another site. Inline frame embedding may provide a more seamless user experience when signing-on to view embedded visualizations. For example, if a user is already authenticated with your identity provider and iFrame embedding is enabled, the user would seamlessly authenticate with Tableau Cloud when browsing to pages that contain an embedded visualizations.

Caution: Inline frames can be vulnerable to a clickjack attack. Clickjacking is a type of attack against web pages in which the attacker tries to lure users into clicking or entering content by displaying the page to attack in a transparent layer over an unrelated page. In the context of Tableau Cloud, an attacker might try to use a clickjack attack to capture user credentials or to get an authenticated user to change settings. For more information about clickjack attacks, see Clickjacking(Link opens in a new window) on the Open Web Application Security Project website.

  1. Open a new browser tab or window, and sign in to your OneLogin admin portal.

  2. On the Settings menu, click Account Settings.

  3. On the Basic page, in Framing Protection, select the Disable Framing Protection (X-Frame-Options) check box.

Thanks for your feedback!