SAML Requirements for Tableau Online

Before you configure SAML for Tableau Online, obtain what you need to meet the requirements.

Identity provider (IdP) requirements for Tableau configuration

SAML compatibility notes and requirements

Using SAML SSO in Tableau client applications

Effects on Tableau Bridge of changing authentication type

XML data requirements

Identity provider (IdP) requirements for Tableau configuration

To configure Tableau Online for SAML, you need the following:

  • Administrator access to your Tableau Online site. You must have administrator access to the Tableau Online site on which you want to enable SAML.

  • List of users who will use SSO to access Tableau Online. You should gather the email addresses for the users you want to allow single-sign-on access to Tableau Online.

  • IdP account that supports SAML 2.0. You need an account with an external identity provider. Some examples are PingFederate, SiteMinder, and Open AM. The IdP must support SAML 2.0. You must have administrator access to that account.

  • SHA256 is used as signing algorithm. As of May 2020, Tableau Online blocks IdP assertions and certificates that are signed with the SHA-1 algorithm.

  • IdP provider that supports import and export of XML metadata. Although a manually created metadata file might work, Tableau Technical Support cannot assist with generating the file or troubleshooting it.

  • IdP provider that enforces a maximum token age of 24 days or less (2073600 seconds). If the IdP allows a maximum age of tokens that is a greater length of time than the maximum age setting on Tableau Online (2073600 seconds), then Tableau Online will not recognize the token as valid. In this scenario, users will receive error messages (The sign-in was unsuccessful. Try again.) when attempting to log in to Tableau Online.

Important: In addition to these requirements, we recommend that you dedicate a site administrator account that is always configured for TableauID authentication. In the event of an issue with SAML or the IdP, a dedicated TableauID account ensures that you always have access to your site.

SAML compatibility notes and requirements

  • SP or IdP initiated: Tableau Online supports SAML authentication that begins at the identity provider (IdP) or service provider (SP).

  • Single Log Out (SLO): Tableau Online only supports SP-initiated SLO. IdP-initiated SLO is not supported.

  • tabcmd and REST API: To use tabcmd or the REST API(Link opens in a new window), users must sign in to Tableau Online using a TableauID account.

  • Cleartext assertions: Tableau Online does not support encrypted assertions.

  • Tableau Bridge reconfiguration required: Tableau Bridge supports SAML authentication, but an authentication change requires reconfiguring the Bridge client. For information, see Effects on Tableau Bridge of changing authentication type.

  • Required signature algorithm: For all new SAML certificates, Tableau Online requires the SHA256 (or greater) signature algorithm.

Using SAML SSO in Tableau client applications

Tableau Online users with SAML credentials can also sign in to their site from Tableau Desktop or the Tableau Mobile app. For best compatibility, we recommend that the Tableau client application version matches that of Tableau Online.

Connecting to Tableau Online from Tableau Desktop or Tableau Mobile uses a service provider initiated connection.

Redirecting authenticated users back to Tableau clients

When a user signs in to Tableau Online, Tableau Online sends a SAML request (AuthnRequest) to the IdP, which includes the Tableau application’s RelayState value. If the user has signed in to Tableau Online from a Tableau client such as Tableau Desktop or Tableau Mobile, it’s important that the RelayState value is returned within the IdP’s SAML response back to Tableau.

When the RelayState value is not returned properly in this scenario, the user is taken to their Tableau Online home page in the web browser, rather than being redirected back to the application they signed in from.

Work with your Identity Provider and internal IT team to confirm that this value will be included as part of the IdP’s SAML response.

Effects on Tableau Bridge of changing authentication type

When you change the site’s authentication type, publishers who use Tableau Bridge for scheduled extract refreshes will need to unlink their Bridge client and re-authenticate using the new method. 

Unlinking the Bridge client removes all data sources, so users will also need to set up all of their refresh schedules again. The change in authentication type does not affect Bridge live queries or refreshes that run directly from the Tableau Online site (such as for underlying data in the cloud).

We recommend that you alert Bridge users to changes in their site authentication before you make it. Otherwise, they will become aware through authentication errors they get from the Bridge client, or when the client opens with a blank data source area.

XML data requirements

You configure SAML using XML metadata documents that are generated by Tableau Online and by the IdP. During the authentication process, the IdP and Tableau Online exchange authentication information using these XML documents. If the XML does not meet the requirements, errors can occur when you configure SAML or when users try to sign in.

Tableau Online only supports HTTP POST requests for SAML communications. HTTP Redirect is not supported. In the SAML metadata XML document that is exported by the IdP, the Binding attribute must be set to HTTP-POST.

Thanks for your feedback!