Automate User Provisioning and Group Synchronization through an External Identity Provider

You can automate adding or removing users from Tableau Online or adding or removing members from groups using your identity provider (IdP). Tableau Online IdP user management uses the System for Cross-domain Identity Management (SCIM) standard, which is an open standard for automating the exchange of user identity information. Currently we support SCIM with the following IdPs:

  • Okta
  • OneLogin

We intend to support additional IdPs as the functionality evolves. If you have questions about future plans, email our SCIM pre-release team.

Note: You can sign-in using other IdPs such as Azure Active Directory and Ping. For more information, see Enable SAML Authentication on a Site.

SCIM is used to provision users in cloud applications such as Tableau Online. Cloud IdPs centrally manage user identities, including assigning users to applications and groups. The IdP uses the SCIM standard to ensure that “downstream” applications are kept in sync with the provisioning assignments set up with the IdP. Managing users in this way improves security, and can greatly reduce the amount of manual work that Tableau Online site administrators need to do to manage site users and group membership.

Prerequisites

To enable SCIM integration with your Tableau Online site, you’ll need the appropriate levels of access:

  • Site administrator access to the Tableau Online site.

  • Ability to modify your IdPs configuration settings for Tableau Online

Steps for enabling SCIM support with your IdP

The following sections provide IdP-specific steps for enabling SCIM support for your Tableau Online site.

Note: Some of these steps reflect a third-party IdP interface. These IdP settings are subject to change without our knowledge.

Enable support for SCIM with Okta

Use the following steps to enable SCIM support. See also Notes and known limitations for SCIM support with Okta.

  1. The SCIM functionality requires that you configure your site to support SAML single sign-on. If you have not done this, complete the following sections in Configure SAML with Okta:

    After you finish the steps in these two sections, remain signed in to both the Okta console and Tableau Online, with the following pages displayed:

    • In Tableau Online, the Settings > Authentication page.

    • In the Okta Developer Console, ApplicationsTableau Online > Provisioning.

  2. On the Authentication page in Tableau Online, under Automatic Provisioning and Group Synchronization (SCIM), select the Enable SCIM check box.

    This populates the Base URL and Secret boxes with values you will use in the IdP’s SCIM configuration.

    Important: The secret token is displayed only immediately after it is generated. If you lose it before you can apply it to your IdP, you can select Generate New Secret. In addition, the secret token is tied to the Tableau Online user account of the site administrator who enables SCIM support. If that user’s site role changes or the user is removed from the site, the secret token becomes invalid, and another site administrator must generate a new secret token and apply it to your IdP.

  3. Copy the secret token value, and then on the Provisioning page in your Okta administrator console, select API Integration in the Settings column.

  4. Select Edit, and then do the following:

    • Select the Enable API integration check box.

    • For API Token, paste the Tableau Online SCIM secret token you copied in the previous step.

    • For Base URL, copy and paste the Base URL shown in the Tableau Online SCIM settings.

Notes and known limitations for SCIM support with Okta

  • In the Okta user assignment settings, the values for User Name and Primary email must be identical.

  • You must add a separate Tableau Online Okta app for each site you want to manage using SCIM.

  • If you want to migrate a site, you will need to re-configure SCIM provisioning for the new site.

  • When provisioning new users, first name and last name attributes in Okta are not synced to Tableau Online. New users must set those fields when they sign in to Tableau Online for the first time.

  • You can set a user’s site role (such as Creator, Explorer, or Viewer) in Okta at either the user or the group level. We recommend assigning the site role at the group level. If the user is assigned a site role directly, it will override any group settings.

  • A user can be a member of many groups. Groups can have different site roles. If a user is assigned groups with different site roles, the user will receive the most permissive site role in Tableau Online. For example, if you choose Viewer and Creator, Tableau will assign the Creator site role.

    Site roles are listed below in order from most permissive to least permissive:

    • Site Administrator Creator

    • Site Administrator Explorer

    • Creator

    • Explorer (Can Publish)

    • Explorer

    • Viewer

  • You can update the site role attribute for a user in Okta and this change will propagate to Tableau Online. Other attributes, such as User Name and Primary email, cannot be updated. To change these attributes, remove the user, change the attribute, and then add the user again.

Enable support for SCIM with OneLogin

You can configure user management through OneLogin, provision groups, and assign Tableau Online site roles. If you’re not yet familiar with Tableau site roles and the capabilities each allows, see Set Users’ Site Roles.

As you complete the following steps, it might help also to have the OneLogin documentation at hand. Start with Introduction to User Provisioning(Link opens in a new window).

  1. The SCIM functionality requires that you configure your site to support SAML single sign-on. If you have not done this yet, complete the following sections in the article “Configure SAML with OneLogin”:

    After you finish the steps in these two sections, remain signed in to both the OneLogin portal and Tableau Online, with the following pages displayed:

    • In Tableau Online, the Settings > Authentication page.

    • In the OneLogin portal, the Configuration page.

  2. On the Authentication page in Tableau Online, under Automatic Provisioning and Group Synchronization (SCIM), select the Enable SCIM check box.

    This populates the Base URL and Secret boxes with values you will use in the IdP’s SCIM configuration.

    Important: The secret token is displayed only immediately after it is generated. If you lose it before you can apply it to your IdP, you can select Generate New Secret. In addition, the secret token is tied to the Tableau Online user account of the site administrator who enables SCIM support. If that user’s site role changes or the user is removed from the site, the secret token becomes invalid, and another site administrator must generate a new secret token and apply it to your IdP.

  3. Copy the secret token value, and then on the Configuration page in your OneLogin portal, do the following:

    • For API Status, click Enable.

    • For SCIM Bearer Token, paste the Tableau Online SCIM secret token you copied earlier.

    • For SCIM Base URL, copy and paste the Base URL shown in the Tableau Online SCIM settings.

      Image of the OneLogin portal's Configuration page

  4. On the Provisioning page:

    • Select the Enable Provisioning for Tableau check box.

    • Select Suspend for When users are deleted in OneLogin, perform this action in Tableau.

      Image of the OneLogin portal's Provisioning page set for Tableau Online

  5. Click Save. If you want to complete the steps for provisioning groups, stay signed in to the OneLogin portal and proceed to the next section.

Enable group provisioning and assign Tableau site roles

OneLogin gives you a number of ways by which you can assign user attributes such as groups or site roles. You can apply them at the Tableau Online app level, create mapping rules, or apply them manually to individual users.

The following steps continue where you left off in the previous section, and they assume you are signed in to the OneLogin portal and Tableau Online app. These steps provide some Tableau-specific information that you can use with the OneLogin documentation for mapping group and site role attributes to users.

Provision groups

Import Tableau Online groups into OneLogin and specify the groups you want to be selected by default in the user provisioning dialog.

  1. On the Parameters page, click Groups, and select the Include in User Provisioning check box.

  2. Go to the Provisioning page, and in the Entitlements section, click Refresh.

    This imports the groups from Tableau Online.

  3. Go back to the Parameters page, and then select the groups that you want to show as selected values in the user provisioning dialog.

  4. To change group membership, go to the Users page, select a user, and in the Groups section, modify the available and selected values.

You can also create mappings that put users into groups automatically, based on conditions you define. To get started, see the OneLogin article Mappings(Link opens in a new window).

Assign Tableau site roles

By default, users are assigned the Viewer site role, which occupies a Viewer license type.

Whatever method you use in OneLogin to assign site roles, at some point you need to enter the site role name into a text box. For the allowed values you can type, see Valid Tableau site role values below the steps.

Here are some of the ways you can assign site roles:

  • For individual users: On the Users tab, select the user, and then in the user settings, type the site role name in the text box.

  • For a set of users: On the Parameters page, click Site Role, and then, for Value, select one of the options for assigning the site role attribute. For example:

    • If all users have the same site role, select Macro and enter the site role name.

    • If the OneLogin user directory contains the site role, select the corresponding attribute.

When you’re done assigning the site role, click Save.

Valid Tableau site role values

On the Provisioning page in your OneLogin portal, the Site Role values you can enter are based on current or legacy license roles.

  • Current license roles include the following site role values:

    Creator, Explorer, ExplorerCanPublish, ReadOnly, ServerAdministrator, SiteAdministratorExplorer, SiteAdministratorCreator, Unlicensed, or Viewer.

  • Legacy (pre-v2018.1) license types come with the following site roles:

    Interactor, Publisher, ServerAdministrator, SiteAdministrator, Unlicensed, UnlicensedWithPublish, Viewer, or ViewerWithPublish

See also

To learn the effects of changing user attributes, or how to reset individual user attributes you changed manually, see the OneLogin article Provisioning Attributes: the Effect of Defaults, Rules, and Manual Entry(Link opens in a new window).

Replace a SCIM secret token

When you need to replace your SCIM (system for cross-domain identity management) secret token, you can do one of the following:

  • In Tableau Online, on the Settings > Authorization page, under Automatic Provisioning and Group Synchronization (SCIM), click Generate New Secret to generate a new secret token to replace your old one. When you generate a new secret token, you must reconfigure SCIM to use the new secret token.
  • An administrator can revoke a secret token that belongs to another user by deleting that user from the Tableau Online site and then adding them back to the site.
Thanks for your feedback! There was an error submitting your feedback. Please try again.