Automate User Management through an External Identity Provider

If you use Okta or OneLogin to manage user identities in the cloud, or for single sign-on using SAML, you can configure either of these identity providers (IdPs) to automate user management for your Tableau Online site.

Pre-release access to Tableau Online automated user management

Tableau is inviting interested Tableau Online customers who have configured their Tableau Online site to support SAML, using Okta or OneLogin as their identity provider (IdP), to work with us on new functionality that enables site administrators to automate user management for their sites. You can read about this functionality in the next section, Overview of SCIM and Tableau Online supported IdPs.

We'd love to get your feedback! If you have questions, comments, or suggestions, you can email our SCIM pre-release team.

Note: This functionality is in development only for Tableau Online; is it not available for Tableau Server.

Overview of SCIM and Tableau Online supported IdPs

Tableau Online IdP user management uses the System for Cross-domain Identity Management (SCIM) standard, which is an open standard for automating the exchange of user identity information. Currently we support SCIM with the following IdPs:

  • Okta
  • OneLogin

We intend to support additional IdPs as the functionality evolves.

SCIM is used to provision users in cloud applications such as Tableau Online. Cloud IdPs centrally manage user identities, including assigning users to applications. The IdP uses the SCIM standard to ensure that “downstream” applications are kept in sync with the provisioning assignments set up with the IdP.

Managing users in this way improves security, and can greatly reduce the amount of manual work that Tableau Online site administrators need to do to manage site users.

Prerequisites for enabling Tableau Online SCIM

To enable SCIM integration with your Tableau Online site, you’ll need the appropriate levels of access:

  • Site administrator access to the Tableau Online site.

  • Ability to modify your IdPs configuration settings for Tableau Online

Disclaimers

  • The steps below describe limited-release functionality that is still in development. Tableau Technical Support is unable to assist with issues you have with this functionality.

    Instead, if you come across issues, contact the beta team using the email address provided in Pre-release access to Tableau Online automated user management.

  • Some of these steps reflect a third-party IdP interface. These IdP settings are subject to change without our knowledge.

Steps for enabling SCIM support with your IdP

The following sections provide IdP-specific steps for enabling SCIM support for your Tableau Online site.

Enable support for SCIM with Okta

Use the following steps to enable SCIM support. See also Notes and known limitations for SCIM support with Okta below the steps.

  1. The SCIM functionality requires that you configure your site to support SAML single sign-on. If you have not done this, complete the following sections in the article “Configure SAML with Okta”:

    After you finish the steps in these two sections, remain signed in to both the Okta console and Tableau Online, with the following pages displayed:

    • In Tableau Online, the Settings > Authentication page.

    • In the Okta Developer Console, ApplicationsTableau Online > Provisioning.

  2. On the Authentication page in Tableau Online, under System for Cross-domain Identity Management (SCIM), select the Enable SCIM check box.

    This populates the Base URL and Secret boxes with values you will use in the IdP’s SCIM configuration.

    Important: The secret is displayed only immediately after it is generated. If you lose it before you can apply it to your IdP, you can select Generate New Secret. In addition, the secret is tied to the Tableau Online user account of the site administrator who enables SCIM support. If that user’s site role changes or the user is removed from the site, the secret becomes invalid, and another site administrator must generate a new secret and apply it to your IdP.

  3. Copy the secret value, and then on the Provisioning page in your Okta administrator console, select API Integration in the Settings column.

  4. Select Edit, and then do the following:

    • Select the Enable API integration check box.

    • For API Token, paste the Tableau Online SCIM secret you copied in the previous step.

    • For Base URL, copy and paste the Base URL shown in the Tableau Online SCIM settings.

Notes and known limitations for SCIM support with Okta

  • In the Okta user assignment settings, the values for User Name and Primary email must be identical.

  • You must add a separate Tableau Online Okta app for each site you want to manage using SCIM.

  • If you want to migrate a site, you will need to re-configure SCIM provisioning for the new site.

  • When provisioning new users, first name and last name attributes in Okta are not synced to Tableau Online. New users must set those fields when they sign in to Tableau Online for the first time.

  • You can set a user’s site role (such as Creator, Explorer, or Viewer) in Okta at either the user or the group level. We recommend assigning the site role at the group level. If the user is assigned a site role directly, it will override any group settings.

  • A user can be a member of many groups. Groups can have different site roles. If a user is assigned groups with different site roles, the user will receive the most permissive site role in Tableau Online. For example, if you choose Viewer and Creator, Tableau will assign the Creator site role.

    Site roles are listed below in order from most permissive to least permissive:

    • Site Administrator Creator

    • Site Administrator Explorer

    • Creator

    • Explorer (Can Publish)

    • Explorer

    • Viewer

  • You can update the site role attribute for a user in Okta and this change will propagate to Tableau Online. Other attributes, such as User Name and Primary email, cannot be updated. To change these attributes, remove the user, change the attribute, and then add the user again.

Migrate to the latest version of SCIM with Okta

Tableau Online has been updated to provide a better overall experience to Okta customers. Tableau Online now supports setting a user or group’s license role (such as Creator, Explorer, or Viewer) in Okta. To take advantage of these updates, you must add a new instance of Tableau Online in your Okta org. If you already have an existing instance of Tableau Online, follow these steps to migrate from your old instance to an updated instance of Tableau Online:

  1. Sign in to your Okta org as an administrator.

  2. In the Admin UI, click Add Applications.

  3. Add a new instance of Tableau Online.

  4. Configure the application including provisioning. For more information, see Enable support for SCIM with Okta.

  5. After SCIM Provisioning has been enabled, you can import your users. On the Import tab of your new Tableau Online app instance, click Import Now.

  6. After the users from Tableau Online are imported, select the users you want created or linked in Okta and then click Confirm Assignments.

  7. When prompted to proceed with the assignment confirmation, click Confirm.

  8. On your Admin Dashboard, open your previous Tableau Online instance.

    Note: This is the previous Tableau Online instance you used before adding a new instance in step 3.

  9. On the Provisioning tab, in the Settings section, click Configure API Integration.

  10. Click Edit, clear the Enable API Integration checkbox, and then click Save.

  11. You can now deactivate or delete your old Tableau Online instance and continue using the new Tableau Online you added.

Note: If you were using SAML as the sign-on method for your existing Tableau Online instance, you must to set up SAML on your new Tableau Online instance in Okta (recommended) or maintain the old Tableau Online instance to ensure that the SAML functionality continues to work. If you were using your existing Tableau Online instance as a profile master for certain Okta attributes, you must set your new Tableau Online instance as the profile master for the same attributes.

Enable support for SCIM with OneLogin

The steps below describe how to configure user management through OneLogin, provision groups, and assign Tableau Online site roles. If you’re not yet familiar with Tableau site roles and the capabilities each allows, see Set Users’ Site Roles.

As you go through these steps, it might help also to have the OneLogin documentation at hand. Start with Introduction to User Provisioning.

  1. The SCIM functionality requires that you configure your site to support SAML single sign-on. If you have not done this yet, complete the following sections in the article “Configure SAML with OneLogin”:

    After you finish the steps in these two sections, remain signed in to both the OneLogin portal and Tableau Online, with the following pages displayed:

    • In Tableau Online, the Settings > Authentication page.

    • In the OneLogin portal, the Configuration page.

  2. On the Authentication page in Tableau Online, under System for Cross-domain Identity Management (SCIM), select the Enable SCIM check box.

    This populates the Base URL and Secret boxes with values you will use in the IdP’s SCIM configuration.

    Important: The secret is displayed only immediately after it is generated. If you lose it before you can apply it to your IdP, you can select Generate New Secret. In addition, the secret is tied to the Tableau Online user account of the site administrator who enables SCIM support. If that user’s site role changes or the user is removed from the site, the secret becomes invalid, and another site administrator must generate a new secret and apply it to your IdP.

  3. Copy the secret value, and then on the Configuration page in your OneLogin portal, do the following:

    • For API Status, click Enable.

    • For SCIM Bearer Token, paste the Tableau Online SCIM secret you copied earlier.

    • For SCIM Base URL, copy and paste the Base URL shown in the Tableau Online SCIM settings.

      Image of the OneLogin portal's Configuration page

  4. On the Provisioning page:

    • Select the Enable Provisioning for Tableau check box.

    • Select Suspend for When users are deleted in OneLogin, perform this action in Tableau.

      Image of the OneLogin portal's Provisioning page set for Tableau Online

  5. Click Save. If you want to complete the steps for provisioning groups, stay signed in to the OneLogin portal and proceed to the next section.

Enable group provisioning and assign Tableau site roles

OneLogin gives you a number of ways by which you can assign user attributes such as groups or site roles. You can apply them at the Tableau Online app level, create mapping rules, or apply them manually to individual users.

The steps here continue where you left the previous section, and they assume you are signed in to the OneLogin portal and Tableau Online app. These steps provide some Tableau-specific information that you can use with the OneLogin documentation for mapping group and site role attributes to users.

Provision groups

Import Tableau Online groups into OneLogin and specify the groups you want to be selected by default in the user provisioning dialog.

  1. On the Parameters page, click Groups, and select the Include in User Provisioning check box.

  2. Go to the Provisioning page, and in the Entitlements section, click Refresh.

    This imports the groups from Tableau Online.

  3. Go back to the Parameters page, and then select the groups that you want to show as selected values in the user provisioning dialog.

  4. To change group membership, go to the Users page, select a user, and in the Groups section, modify the available and selected values.

You can also create mappings that put users into groups automatically, based on conditions you define. To get started, see the OneLogin article Mappings.

Assign Tableau site roles

By default, users are assigned the Viewer site role, which occupies a Viewer license type.

Whatever method you use in OneLogin to assign site roles, at some point you need to enter the site role name into a text box. For the allowed values you can type, see Valid Tableau site role values below the steps.

Here are some of the ways you can assign site roles:

  • For individual users: On the Users tab, select the user, and then in the user settings, type the site role name in the text box.

  • For a set of users: On the Parameters page, click Site Role, and then, for Value, select one of the options for assigning the site role attribute. For example:

    • If all users have the same site role, select Macro and enter the site role name.

    • If the OneLogin user directory contains the site role, select the corresponding attribute.

When you’re done assigning the site role, click Save.

Valid Tableau site role values

On the Provisioning page in your OneLogin portal, the Site Role values you can enter are based on current or legacy license roles.

  • Current license roles include the following site role values:

    Creator, Explorer, ExplorerCanPublish, ReadOnly, ServerAdministrator, SiteAdministratorExplorer, SiteAdministratorCreator, Unlicensed, or Viewer.

  • Legacy (pre-v2018.1) license types come with the following site roles:

    Interactor, Publisher, ServerAdministrator, SiteAdministrator, Unlicensed, UnlicensedWithPublish, Viewer, or ViewerWithPublish

See also

To learn the effects of changing user attributes, or how to reset individual user attributes you changed manually, see the OneLogin article Provisioning Attributes: the Effect of Defaults, Rules, and Manual Entry.

Thanks for your feedback! There was an error submitting your feedback. Try again or send us a message.