Configure SCIM with Okta

You can configure user management through Okta, provision groups, and assign Tableau Cloud site roles. If you’re not yet familiar with Tableau site roles and the capabilities each allows, see Set Users’ Site Roles.

Step 1: Perform prerequisites

The SCIM functionality requires that you configure your site to support SAML single sign-on (SSO).

  1. Complete the following sections in Configure SAML with Okta:

  2. After you finish the steps in these two sections, remain signed in to both the Okta administrator console and Tableau Cloud, with the following pages displayed:

    • In Tableau Cloud, the Settings > Authentication page.

    • In the Okta administrator console, ApplicationsApplications > Tableau Cloud > Provisioning.

Step 2: Enable SCIM support

Use the following steps to enable SCIM support with Okta. See also Notes and limitations for SCIM support with Azure Active Directory in the section below.

  1. Sign in to your Tableau Cloud site as a site administrator, and select Settings > Authentication.
  2. Do the following:

    1. On the Authentication page, under Automatic Provisioning and Group Synchronization (SCIM), select the Enable SCIM check box.

      This populates the Base URL and Secret boxes with values you will use in the IdP’s SCIM configuration.

      Important: The secret token is displayed only immediately after it is generated. If you lose it before you can apply it to your IdP, you can select Generate New Secret. In addition, the secret token is tied to the Tableau Cloud user account of the site administrator who enables SCIM support. If that user’s site role changes or the user is removed from the site, the secret token becomes invalid, and another site administrator must generate a new secret token and apply it to your IdP.

  3. Copy the secret token value.

  4. In the Okta administrator console, do the following:

    1. From the left pane, select Application > Application, click the Tableau Cloud application, and then click the Provisioning tab.

    2. Click Enable API Integration button.

    3. Select the Enable API integration check box and click Save.

    4. Do the following:

      1. For API Token, paste the Tableau Cloud SCIM secret token you copied in the previous step.

      2. For Base URL, copy and paste the Base URL shown in the Tableau Cloud SCIM settings.

  5. Click the Test API Credentials button to ensure the configuration was done correctly. If the configuration was done correctly, you see a "Tableau Cloud was verified successfully!" message.

  6. When finished, click Save.

Step 3: Assign users and groups to Tableau

In Okta, you need to assign users and groups to the Tableau application so that the users can be provisioned to Tableau.

Note: Okta recommends that you have a separate group for assignment and for push group. For more information, see About Group Push(Link opens in a new window) in the Okta documentation.

  1. From the left pane, select Application > Application, click the Tableau Cloud application, and then click the Assignments tab.

  2. Click on the Assign drop-down and select either Assign to People or Assign to Groups.

  3. Do the following:

    1. Select the relevant user or group.

    2. Select the site role you would like the users to be provisioned with to Tableau. The options are:

      • Unlicensed

      • Viewer

      • Explorer

      • Explorer (can publish)

      • Creator

      • Site Administrator Explorer

      • Site Administrator Creator

  4. When finished, click Save and Go Back button.

  5. Repeat steps 3-4 as needed and then click the Done button.

Step 4: Enable group provisioning

Okta allows you to push existing groups and their memberships to Tableau Cloud. After a group is pushed, you can manage group membership in Okta to automatically update the corresponding group in Tableau Cloud. Before you follow these steps, we recommend your review Group Push prerequisites(Link opens in a new window) and About Group Push(Link opens in a new window) in the Okta documentation.

Important: After enabling SCIM, users and their attributes should be managed through the IdP. Changes made within Tableau Cloud directly may result in unexpected behavior and overwritten values.

The following steps continue where you left off in the previous section, and they assume you are signed in to the Okta administrator console.

  1. From the left pane, select Application > Application, click the Tableau Cloud application, and then click the Push Groups tab.

  2. Click the Push Groups button and then select one of the following options from the drop-down menu:

    • Find groups by name: Select this option to search groups by name.

    • Find groups by rule: Select this option to create a search rule that pushes any groups that match the rule.

    You can deactivate group push, unlink pushed groups, or push group membership immediately by clicking Active or Inactive in the Push Status column. To delete, deactivate, or activate multiple groups, click Bulk Edit. For more information, see Enable Group Push(Link opens in a new window) in the Okta documentation.

  3. (Optional) If pushing multiple groups, click the Save & Add Another button, and repeat the previous step.

  4. When finished, click Save.

Notes for SCIM support with Okta

  • In the Okta user assignment settings, the values for User Name and Primary email must be identical.

  • You must add a separate Tableau Cloud Okta app for each site you want to manage using SCIM.

  • If you want to migrate a site, you will need to re-configure SCIM provisioning for the new site.

  • When provisioning new users, first name and last name attributes in Okta are not synced to Tableau Cloud. New users must set those fields when they sign in to Tableau Cloud for the first time.

  • When a user is unassigned from the Tableau Cloud application in Okta or the user is deactivated or deleted from Okta entirely, the user is converted to an Unlicensed site role in Tableau Cloud. If the user owns any content, you must first reassign ownership of those content assets before you can manually delete the user in Tableau Cloud.

  • You can set a user’s site role (such as Creator, Explorer, or Viewer) in Okta at either the user or the group level. We recommend assigning the site role at the group level. If the user is assigned a site role directly, it will override any group settings.

  • A user can be a member of many groups. Groups can have different site roles. If a user is assigned groups with different site roles, the user will receive the most permissive site role in Tableau Cloud. For example, if you choose Viewer and Creator, Tableau will assign the Creator site role.

    Site roles are listed below in order from most permissive to least permissive:

    • Site Administrator Creator

    • Site Administrator Explorer

    • Creator

    • Explorer (Can Publish)

    • Explorer

    • Viewer

  • You can update the site role attribute for a user in Okta and this change will propagate to Tableau Cloud. Other attributes, such as User Name and Primary email, cannot be updated. To change these attributes, remove the user, change the attribute, and then add the user again.

  • Beginning in February 2024 (Tableau 2023.3), the use of SCIM with Grant License on Sign In (GLSI) is supported. GLSI requires the following:

    1. Manually enabling the option for a group and selecting the minimum site role for the users who are members of the group directly in Tableau Cloud. It is not possible to set a group with the GLSI attribute in Okta, but you can set the attribute for the group you have provisioned from Okta in Tableau Cloud.
    2. The user must be provisioned as unlicensed from the IdP.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!