SAML Requirements for Tableau Cloud

Before you configure SAML for Tableau Cloud, obtain what you need to meet the requirements.

Identity provider (IdP) requirements for Tableau configuration

To configure Tableau Cloud for SAML, you need the following:

  • Administrator access to your Tableau Cloud site. You must have administrator access to the Tableau Cloud site on which you want to enable SAML.

  • List of users who will use SSO to access Tableau Cloud. You should gather the usernames for the users you want to allow single sign-on (SSO) access to Tableau Cloud.

  • IdP account that supports SAML 2.0. You need an account with an external identity provider. Some examples are PingFederate, SiteMinder, and Open AM. The IdP must support SAML 2.0. You must have administrator access to that account.

  • SHA256 is used as signing algorithm. As of May 2020, Tableau Cloud blocks IdP assertions and certificates that are signed with the SHA-1 algorithm.

  • IdP provider that supports import and export of XML metadata. Although a manually created metadata file might work, Tableau Technical Support cannot assist with generating the file or troubleshooting it.

  • IdP provider that enforces a maximum token age of 24 days or less (2073600 seconds). If the IdP allows a maximum age of tokens that is a greater length of time than the maximum age setting on Tableau Cloud (2073600 seconds), then Tableau Cloud will not recognize the token as valid. In this scenario, users will receive error messages (The sign-in was unsuccessful. Try again.) when attempting to log in to Tableau Cloud.

  • SSO with MFA is enabled. As of February 2022, multi-factor authentication (MFA) through your SAML SSO identity provider (IdP) is a Tableau Cloud requirement.

    Important: In addition to these requirements, we recommend that you dedicate a site administrator account that is always configured for TableauID with MFA(Link opens in a new window). In the event of an issue with SAML or the IdP, a dedicated Tableau with MFA account ensures that you always have access to your site.

     

SAML compatibility notes and requirements

  • SP or IdP initiated: Tableau Cloud supports SAML authentication that begins at the identity provider (IdP) or service provider (SP).

  • Single Log Out (SLO): Tableau Cloud supports both service provider (SP)-initiated SLO and identity provider (IdP)-initiated SLO.

    Note: To obtain the SLO URL for your site, download and refer to the metadata XML file your Tableau Cloud site generates. You can find this file by going to Settings > Authentication. Under the SAML authentication type, click the Configuration (required) drop-down arrow, and then click the Export Metadata button under step 1, method 1.

  • tabcmd and REST API: To use tabcmd or the REST API(Link opens in a new window), users must sign in to Tableau Cloud using a TableauID account.

  • Encrypted assertions: Tableau Cloud supports either cleartext or encrypted assertions.

  • Tableau Bridge reconfiguration required: Tableau Bridge supports SAML authentication, but an authentication change requires reconfiguring the Bridge client. For information, see Effects of changing authentication type on Tableau Bridge.

  • Required signature algorithm: For all new SAML certificates, Tableau Cloud requires the SHA256 (or greater) signature algorithm.

  • RSA key and ECDSA curve sizes: The IdP certificate must have either an RSA key strength of 2048 or ECDSA curve size of 256.
  • NameID attribute: Tableau Cloud requires the NameID attribute in the SAML response.

Using SAML SSO in Tableau client applications

Tableau Cloud users with SAML credentials can also sign in to their site from Tableau Desktop or the Tableau Mobile app. For best compatibility, we recommend that the Tableau client application version matches that of Tableau Cloud.

Connecting to Tableau Cloud from Tableau Desktop or Tableau Mobile uses a service provider initiated connection.

Redirecting authenticated users back to Tableau clients

When a user signs in to Tableau Cloud, Tableau Cloud sends a SAML request (AuthnRequest) to the IdP, which includes the Tableau application’s RelayState value. If the user has signed in to Tableau Cloud from a Tableau client such as Tableau Desktop or Tableau Mobile, it’s important that the RelayState value is returned within the IdP’s SAML response back to Tableau.

When the RelayState value is not returned properly in this scenario, the user is taken to their Tableau Cloud home page in the web browser, rather than being redirected back to the application they signed in from.

Work with your Identity Provider and internal IT team to confirm that this value will be included as part of the IdP’s SAML response.

Effects of changing authentication type on Tableau Bridge

When you change the site’s authentication type or modify the IdP, publishers who use Tableau Bridge for scheduled extract refreshes will need to unlink and relink the client, and re-authenticate using the new method or IdP configuration.

For legacy schedules, unlinking the Bridge client removes all data sources, therefore you must set up the refresh schedules again. For online schedules, after relinking the client you must reconfigure the Bridge client pool.

The change in authentication type does not affect Bridge live queries or refreshes that run directly from the Tableau Cloud site (such as for underlying data in the cloud).

We recommend that you alert Bridge users to changes in their site authentication before you make it. Otherwise, they will become aware through authentication errors they get from the Bridge client, or when the client opens with a blank data source area.

XML data requirements

You configure SAML using XML metadata documents that are generated by Tableau Cloud and by the IdP. During the authentication process, the IdP and Tableau Cloud exchange authentication information using these XML documents. If the XML does not meet the requirements, errors can occur when you configure SAML or when users try to sign in.

HTTP POST and HTTP REDIRECT: Tableau Cloud supports HTTP POST and REDIRECT requests for SAML communications. In the SAML metadata XML document that is exported by the IdP, the Binding attribute can be set to:

  • HTTP-POST

  • HTTP-REDIRECT

  • HTTP-POST-SimpleSign

Dynamic group membership using SAML assertions:

Beginning in June 2024 (Tableau 2024.2), if SAML is configured and the capability’s setting enabled, you can dynamically control group membership through custom claims included in the SAML XML response sent by the identity provider (IdP).

When configured, during user authentication, the IdP sends the SAML assertion that contains two custom group membership claims: group (https://tableau.com/groups) and group names (for example, "Group1" and "Group2") to assert the user into. Tableau validates the assertion and then enables access to the groups and the content whose permissions are dependent on those groups.

For more information, see Dynamic group membership using assertions.

Example SAML XML response

<saml2p:Response
  xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
    .....
    .....
  <saml2:Assertion
    .....
    .....
    xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
    <saml2:AttributeStatement
  		xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
  		<saml2:Attribute
    		Name="https://tableau.com/groups"
			NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  			<saml2:AttributeValue
				xmlns:xs="http://www.w3.org/2001/XMLSchema"
				xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
				xsi:type="xs:string">Group1
			</saml2:AttributeValue>
			<saml2:AttributeValue
				xmlns:xs="http://www.w3.org/2001/XMLSchema"
				xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
				xsi:type="xs:string">Group2
			</saml2:AttributeValue>
    	<saml2:Attribute>
    </saml2:AttributeStatement>
  </saml2:Assertion>
</saml2p:Response>
Thanks for your feedback!Your feedback has been successfully submitted. Thank you!