Configure SCIM with Okta
You can configure user management through Okta, provision groups, and assign Tableau Cloud site roles. If you’re not yet familiar with Tableau site roles and the capabilities each allows, see Set Users’ Site Roles.
As you complete the following steps, it might help also to have the Okta documentation at hand.
Enable SCIM support
Use the following steps to enable SCIM support with Okta. See also Notes and limitations for SCIM support with Okta.
-
The SCIM functionality requires that you configure your site to support SAML single sign-on. If you have not done this, complete the following sections in Configure SAML with Okta:
After you finish the steps in these two sections, remain signed in to both the Okta console and Tableau Cloud, with the following pages displayed:
-
In Tableau Cloud, the Settings > Authentication page.
-
In the Okta Developer Console, Applications > Tableau Cloud > Provisioning.
-
-
On the Authentication page in Tableau Cloud, under Automatic Provisioning and Group Synchronization (SCIM), select the Enable SCIM check box.
This populates the Base URL and Secret boxes with values you will use in the IdP’s SCIM configuration.
Important: The secret token is displayed only immediately after it is generated. If you lose it before you can apply it to your IdP, you can select Generate New Secret. In addition, the secret token is tied to the Tableau Cloud user account of the site administrator who enables SCIM support. If that user’s site role changes or the user is removed from the site, the secret token becomes invalid, and another site administrator must generate a new secret token and apply it to your IdP.
-
Copy the secret token value, and then on the Provisioning page in your Okta administrator console, select API Integration in the Settings column.
-
Select Edit, and then do the following:
-
Select the Enable API integration check box.
-
For API Token, paste the Tableau Cloud SCIM secret token you copied in the previous step.
-
For Base URL, copy and paste the Base URL shown in the Tableau Cloud SCIM settings.
-
Enable group provisioning
Okta allows you to push existing groups to Tableau Cloud to assign user attributes, such as group or site roles. Once a group is pushed, you can manage group membership in Okta to automatically update the corresponding group in Tableau Cloud.
Note: After enabling SCIM, users and their attributes should be managed through the IdP. Changes made within Tableau Cloud directly may result in unexpected behavior and overwritten values.
The following steps continue where you left off in the previous section, and they assume you are signed in to the Okta administrator console.
-
On the Application tab, select the Tableau Cloud application.
-
Select the Push Groups tab.
-
Click Push Groups and select one of the options from the drop-down menu:
-
Find groups by name: Select this option to search groups by name.
-
Find groups by rule: Select this option to create a search rule that pushes any groups that match the rule.
You can deactivate group push, unlink pushed groups, or push group membership immediately by clicking Active or Inactive in the Push Status column. To delete, deactivate, or activate multiple groups, click Bulk Edit.
For more information, see Enable Group Push(Link opens in a new window) in the Okta documentation.
Notes and limitations for SCIM support with Okta
-
In the Okta user assignment settings, the values for User Name and Primary email must be identical.
-
You must add a separate Tableau Cloud Okta app for each site you want to manage using SCIM.
-
If you want to migrate a site, you will need to re-configure SCIM provisioning for the new site.
-
When provisioning new users, first name and last name attributes in Okta are not synced to Tableau Cloud. New users must set those fields when they sign in to Tableau Cloud for the first time.
-
You can set a user’s site role (such as Creator, Explorer, or Viewer) in Okta at either the user or the group level. We recommend assigning the site role at the group level. If the user is assigned a site role directly, it will override any group settings.
-
A user can be a member of many groups. Groups can have different site roles. If a user is assigned groups with different site roles, the user will receive the most permissive site role in Tableau Cloud. For example, if you choose Viewer and Creator, Tableau will assign the Creator site role.
Site roles are listed below in order from most permissive to least permissive:
-
Site Administrator Creator
-
Site Administrator Explorer
-
Creator
-
Explorer (Can Publish)
-
Explorer
-
Viewer
-
-
You can update the site role attribute for a user in Okta and this change will propagate to Tableau Cloud. Other attributes, such as User Name and Primary email, cannot be updated. To change these attributes, remove the user, change the attribute, and then add the user again.
-
Use of SCIM with Grant License on Sign In is unsupported and may result in incorrectly provisioned site roles for users or groups.