SAML Requirements for Tableau Cloud
Before you configure SAML for Tableau Cloud, obtain what you need to meet the requirements.
- Identity provider (IdP) requirements for Tableau configuration
- SAML compatibility notes and requirements
- Using SAML SSO in Tableau client applications
- Effects of changing authentication type on Tableau Bridge
- XML data requirements
Identity provider (IdP) requirements for Tableau configuration
To configure Tableau Cloud for SAML, you need the following:
-
Administrator access to your Tableau Cloud site. You must have administrator access to the Tableau Cloud site on which you want to enable SAML.
-
List of users who will use SSO to access Tableau Cloud. You should gather the usernames for the users you want to allow single sign-on (SSO) access to Tableau Cloud.
-
IdP account that supports SAML 2.0. You need an account with an external identity provider. Some examples are PingFederate, SiteMinder, and Open AM. The IdP must support SAML 2.0. You must have administrator access to that account.
-
SHA256 is used as signing algorithm. As of May 2020, Tableau Cloud blocks IdP assertions and certificates that are signed with the SHA-1 algorithm.
-
IdP provider that supports import and export of XML metadata. Although a manually created metadata file might work, Tableau Technical Support cannot assist with generating the file or troubleshooting it.
-
IdP provider that enforces a maximum token age of 24 days or less (2073600 seconds). If the IdP allows a maximum age of tokens that is a greater length of time than the maximum age setting on Tableau Cloud (2073600 seconds), then Tableau Cloud will not recognize the token as valid. In this scenario, users will receive error messages (The sign-in was unsuccessful. Try again.) when attempting to log in to Tableau Cloud.
-
SSO with MFA is enabled. As of February 2022, multi-factor authentication (MFA) through your SAML SSO identity provider (IdP) is a Tableau Cloud requirement.
Important: In addition to these requirements, we recommend that you dedicate a site administrator account that is always configured for TableauID with MFA(Link opens in a new window). In the event of an issue with SAML or the IdP, a dedicated Tableau with MFA account ensures that you always have access to your site.
SAML compatibility notes and requirements
-
SP or IdP initiated: Tableau Cloud supports SAML authentication that begins at the identity provider (IdP) or service provider (SP).
-
Single Log Out (SLO): Tableau Cloud supports both service provider (SP)-initiated SLO and identity provider (IdP)-initiated SLO.
Note: To obtain the SLO URL for your site, download and refer to the metadata XML file your Tableau Cloud site generates. You can find this file by going to Settings > Authentication. Under the SAML authentication type, click the Configuration (required) drop-down arrow, and then click the Export Metadata button under step 1, method 1.
-
tabcmd and REST API: To use tabcmd or the REST API(Link opens in a new window), users must sign in to Tableau Cloud using a TableauID account.
-
Encrypted assertions: Tableau Cloud supports either cleartext or encrypted assertions.
-
Tableau Bridge reconfiguration required: Tableau Bridge supports SAML authentication, but an authentication change requires reconfiguring the Bridge client. For information, see Effects of changing authentication type on Tableau Bridge.
-
Required signature algorithm: For all new SAML certificates, Tableau Cloud requires the SHA256 (or greater) signature algorithm.
- RSA key and ECDSA curve sizes: The IdP certificate must have either an RSA key strength of 2048 or ECDSA curve size of 256.
-
NameID attribute: Tableau Cloud requires the NameID attribute in the SAML response.
Using SAML SSO in Tableau client applications
Tableau Cloud users with SAML credentials can also sign in to their site from Tableau Desktop or the Tableau Mobile app. For best compatibility, we recommend that the Tableau client application version matches that of Tableau Cloud.
Connecting to Tableau Cloud from Tableau Desktop or Tableau Mobile uses a service provider initiated connection.
Redirecting authenticated users back to Tableau clients
When a user signs in to Tableau Cloud, Tableau Cloud sends a SAML request (AuthnRequest
) to the IdP, which includes the Tableau application’s RelayState value. If the user has signed in to Tableau Cloud from a Tableau client such as Tableau Desktop or Tableau Mobile, it’s important that the RelayState value is returned within the IdP’s SAML response back to Tableau.
When the RelayState value is not returned properly in this scenario, the user is taken to their Tableau Cloud home page in the web browser, rather than being redirected back to the application they signed in from.
Work with your Identity Provider and internal IT team to confirm that this value will be included as part of the IdP’s SAML response.
Effects of changing authentication type on Tableau Bridge
When you change the site’s authentication type or modify the IdP, publishers who use Tableau Bridge for scheduled extract refreshes will need to unlink and relink the client, and re-authenticate using the new method or IdP configuration.
For legacy schedules, unlinking the Bridge client removes all data sources, therefore you must set up the refresh schedules again. For online schedules, after relinking the client you must reconfigure the Bridge client pool.
The change in authentication type does not affect Bridge live queries or refreshes that run directly from the Tableau Cloud site (such as for underlying data in the cloud).
We recommend that you alert Bridge users to changes in their site authentication before you make it. Otherwise, they will become aware through authentication errors they get from the Bridge client, or when the client opens with a blank data source area.
XML data requirements
You configure SAML using XML metadata documents that are generated by Tableau Cloud and by the IdP. During the authentication process, the IdP and Tableau Cloud exchange authentication information using these XML documents. If the XML does not meet the requirements, errors can occur when you configure SAML or when users try to sign in.
HTTP POST and HTTP REDIRECT: Tableau Cloud supports HTTP POST and REDIRECT requests for SAML communications. In the SAML metadata XML document that is exported by the IdP, the Binding
attribute can be set to:
-
HTTP-POST
-
HTTP-REDIRECT
-
HTTP-POST-SimpleSign
Dynamic group membership using SAML assertions:
Beginning in
When configured, during user authentication, the IdP sends the SAML assertion that contains two custom group membership claims: group (https://tableau.com/groups
) and group names (for example, "Group1" and "Group2") to assert the user into. Tableau validates the assertion and then enables access to the groups and the content whose permissions are dependent on those groups.
Example SAML XML response
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ..... ..... <saml2:Assertion ..... ..... xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:Attribute Name="https://tableau.com/groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Group1 </saml2:AttributeValue> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Group2 </saml2:AttributeValue> <saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response>