Automate User Provisioning and Group Synchronization through an External Identity Provider

You can automate adding or removing users from Tableau Cloud or adding or removing members from groups using your Identity Provider (IdP).

Tableau Cloud's user management uses the System for Cross-domain Identity Management (SCIM) standard, an open standard for automating the exchange of user identity information. SCIM allows identity providers (IdPs) to centrally manage user identities, including assigning users to applications and groups. The IdP uses SCIM to ensure that “downstream” applications like Tableau Cloud are kept in sync with the provisioning assignments set up with the IdP. Managing users in this way improves security and can significantly reduce the manual work that site administrators must do to manage site users and group membership.

A straightforward illustration of the identity provider linking to SCIM and Tableau Cloud.

In the diagram above, the IdP pushes updates to Tableau Cloud and controls how often Tableau Cloud’s SCIM endpoints are called to ensure users and groups are appropriately mirrored.

IdP-specific configuration

The steps later in this topic provide general information that you can use with your IdP’s documentation to configure SCIM for your Tableau Cloud site. You can get IdP-specific configuration steps for the following IdPs we support:

Prerequisites

To enable SCIM integration with your Tableau Cloud site, you’ll need the appropriate levels of access:

  • Site administrator access to the Tableau Cloud site

  • Ability to modify your IdPs configuration settings for Tableau Cloud

Additionally, the SCIM functionality requires that you configure your site to support SAML single sign-on (SSO). If you haven’t done this, see Enable SAML Authentication on a Site, and then follow your IdP’s documentation to add Tableau Cloud as an application.

Enable SCIM support with your IdP

Use the following steps to enable SCIM support. To complete this process, you’ll also need the documentation your IdP provides. Look for topics that refer to configuring or enabling a service provider for SCIM provisioning.

Notes:

  • After enabling SCIM, users and their attributes should be managed through the IdP. Changes made within Tableau Cloud directly may result in unexpected behavior and overwritten values.

  • Beginning in November 2024 (Tableau 2024.3):

    • You can choose the SAML authentication configuration to associate with SCIM. However, only one SAML authentication configuration can support SCIM on a site.

    • The SCIM capability is no longer site admin-scoped. In other words, all site admins are have the ability to configure and edit SCIM. However, only one SAML authentication configuration can support SCIM on a site.

To enable SCIM

  1. Sign in to your Tableau Cloud site as a site administrator, and select Settings > Authentication.

  2. Do the following:

    1. On the Authentication page, under Automatic Provisioning and Group Synchronization (SCIM), select the Enable SCIM check box.

      This populates the Base URL and Secret boxes with values you will use in the IdP’s SCIM configuration.

      Important: The secret token is displayed only immediately after it is generated. If you lose it before you can apply it to your IdP, you can select Generate New Secret. In addition, the secret token is tied to the Tableau Cloud user account of the site administrator who enables SCIM support. If that user’s site role changes or the user is removed from the site, the secret token becomes invalid, and another site administrator must generate a new secret token and apply it to your IdP.

    2. Under Authentication for SCIM, select the SAML authentication configuration to associate with SCIM.

      Note: Only one SAML authentication configuration can support SCIM on a site.

  3. Copy the secret token value, and then navigate to your IdP settings. Paste the Tableau Cloud SCIM secret token in the appropriate field.

  4. Copy and paste the Base URL shown in the Tableau Cloud SCIM settings to the appropriate field in your IdP.

  5. Follow your IdP’s documentation to provision users and groups after enabling SCIM support.

Replace a SCIM secret token

When you need to replace your SCIM (system for cross-domain identity management) secret token, follow the steps below:

  1. In Tableau Cloud, navigate to Settings > Authorization.

  2. Under Automatic Provisioning and Group Synchronization (SCIM), click Generate New Secret.

  3. Reconfigure SCIM to use the new secret token.

A site administrator can also revoke a secret token that belongs to another user by deleting that user from Tableau Cloud and then adding them back to the site.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!