This topic explains how to enable SAML on the site and select single sign-on users. It also provides steps for switching from SAML to the default TableauID authentication. Before you enable SAML, we recommend that you review the SAML Requirements for Tableau Online, including Effects of changing authentication type on Tableau Bridge.
The steps in the sections later in this topic provide basic steps that you can use with your IdP’s documentation to configure SAML for your Tableau Online site. You can get IdP-specific configuration steps for the following IdPs:
Sign in to your Tableau Online site as a site administrator, and select Settings > Authentication.
On the Authentication tab, select Enable an additional authentication method, select SAML, and then select Edit connection.
This section takes you through the configuration steps that appear on the Authentication page in the Tableau Online web UI. In a self-hosted Tableau Server installation, this page appears only when support for site-specific SAML is enabled at the server level. It is enabled by default in Tableau Online.
Note: To complete this process, you will also need the documentation your IdP provides. Look for topics that refer to configuring or defining a service provider for a SAML connection, or adding an application.
To create the SAML connection between Tableau Online and your IdP, you need to exchange required metadata between the two services. To get metadata from Tableau Online, do either of the following steps. See the IdP’s SAML configuration documentation to confirm the correct option.
Select Export metadata to download an XML file that contains the Tableau Online SAML entity ID, Assertion Consumer Service (ACS) URL, and X.509 certificate.
Select Download signing and encryption certificate if your IdP expects the required information in a different way. For example, if it wants you to enter the Tableau Online entity ID, ACS URL, and X.509 certificate in separate locations.
The following image has been edited to show that these settings are the same in Tableau Online and Tableau Server.
For Step 2, to import the metadata you exported in step 1, sign in to your IdP account, and use the instructions provided by the IdP’s documentation to submit the Tableau Online metadata.
For Step 3, the IdP’s documentation will guide you also in how to provide metadata to a service provider. It will instruct you to download a metadata file, or it will display XML code. If it displays XML code, copy and paste the code into a new text file, and save the file with a .xml extension.
On the Authentication page in Tableau Online, import the metadata file that you downloaded from the IdP or configured manually from XML it provided.
Attributes contain authentication, authorization, and other information about a user. In the Identity Provider (IdP) Assertion Name column, provide the attributes that contain the information Tableau Online requires.
Note: Tableau Online requires the NameID attribute in the SAML response. You can provide other attributes to map user names in Tableau Online, but the response message must include the NameID attribute.
Email: (Required) Enter the name of the attribute that stores users’ email addresses.
Display name: (Optional but recommended) Some IdPs use separate attributes for first and last names, and others store the full name in one attribute.
Select the button that corresponds to the way your IdP stores the names. For example, if the IdP combines first and last name in one attribute, select Display name, and then enter the attribute name.
Select the method by which users sign in to embedded views. The options are to open a separate pop-up window that displays the IdP’s sign-in form, or to use an inline frame (iframe).
Caution: Because iframes can be vulnerable to clickjacking attacks, not all IdPs support signing in through an iframe. With clickjacking, the attacker tries to lure users into clicking or entering content. They do this by displaying the page to attack in a transparent layer over an unrelated page. For Tableau Online, an attacker might try to capture user credentials or to get an authenticated user to change settings. For more information, see Clickjacking(Link opens in a new window) on the Open Web Application Security Project website.
If your IdP doesn’t support signing in through an iframe, select Authenticate in a separate pop-up window.
Start with the troubleshooting steps suggested on the Authentication page. If those steps do not resolve the issues, see Troubleshoot SAML.
Select existing Tableau Online users, or add new users you want to approve for single sign-on.
When you add or import users, you also specify their authentication type. On the Users page, you can change users’ authentication type any time after adding them.
Part of enabling SAML on your site is to specify how users access views embedded in web pages.
Allow users to choose their authentication type
When you select this, two sign-in options appear where a view is embedded: a sign-in button that uses single sign-on authentication and a link to use TableauID as an alternative.
Tip: With this option, users need to know which alternative to choose. As part of notification you send your users after you add them to the single sign-on site, let them know which type of authentication to use for a variety of sign-in scenarios. For example, embedded views, Tableau Desktop, Tableau Bridge, Tableau Mobile, and so on.
This option requires users to sign in using a TableauID even if SAML is enabled on the site. Generally it’s reserved for administrators for troubleshooting issues with embedded views and SAML.
With this option, the way SAML users can sign in to embedded views is determined by the setting you select in step 6 above.
If a site is configured for SAML, you can change the site settings to require some or all users to sign in using TableauID credentials.
If you no longer want an identity provider to handle authentication for a site, or require all users to sign in with their TableauID credentials, you can change authentication type at the site level.
If you want to keep SAML enabled for some users, but require others to use TableauID, you can change authentication type at the user level.
For more information, see Set the User Authentication Type.
Change the site’s authentication type
Sign in to Tableau Online as a site administrator and select the site.
Select Settings > Authentication.
For Authentication Type, select TableauID.
After you make the SAML configuration inactive, the metadata and IdP information are preserved, so that if you want to enable it again, you do not need to set up the SAML connection with the IdP again.