Automate User Provisioning and Group Synchronization through an External Identity Provider
You can automate adding or removing users from Tableau Cloud or adding or removing members from groups using your Identity Provider (IdP).
Tableau Cloud IdP user management uses the System for Cross-domain Identity Management (SCIM) standard, an open standard for automating the exchange of user identity information. SCIM allows IdPs to centrally manage user identities, including assigning users to applications and groups. The IdP uses SCIM to ensure that “downstream” applications are kept in sync with the provisioning assignments set up with the IdP. Managing users in this way improves security and can significantly reduce the manual work that site administrators must do to manage site users and group membership.
In the diagram above, the IdP pushes updates to Tableau Cloud and controls how often Tableau Cloud’s SCIM endpoints are called to ensure users and groups are appropriately mirrored.
The steps later in this topic provide general information that you can use with your IdP’s documentation to configure SCIM for your Tableau Cloud site. You can get IdP-specific configuration steps for the following IdPs we support:
To enable SCIM integration with your Tableau Cloud site, you’ll need the appropriate levels of access:
Site administrator access to the Tableau Cloud site
Ability to modify your IdPs configuration settings for Tableau Cloud
Additionally, the SCIM functionality requires that you configure your site to support SAML single sign-on (SSO). If you haven’t done this, see Enable SAML Authentication on a Site, and then follow your IdP’s documentation to add Tableau Cloud as an application.
Enable SCIM support with your IdP
Use the following steps to enable SCIM support. To complete this process, you’ll also need the documentation your IdP provides. Look for topics that refer to configuring or enabling a service provider for SCIM provisioning.
Note: After enabling SCIM, users and their attributes should be managed through the IdP. Changes made within Tableau Cloud directly may result in unexpected behavior and overwritten values.
Sign in to your Tableau Cloud site as a site administrator, and select Settings > Authentication.
Do the following:
On the Authentication page, under Automatic Provisioning and Group Synchronization (SCIM), select the Enable SCIM check box.
This populates the Base URL and Secret boxes with values you will use in the IdP’s SCIM configuration.
Important: The secret token is displayed only immediately after it is generated. If you lose it before you can apply it to your IdP, you can select Generate New Secret. In addition, the secret token is tied to the Tableau Cloud user account of the site administrator who enables SCIM support. If that user’s site role changes or the user is removed from the site, the secret token becomes invalid, and another site administrator must generate a new secret token and apply it to your IdP.
Copy the secret token value, and then navigate to your IdP settings. Paste the Tableau Cloud SCIM secret token in the appropriate field.
Copy and paste the Base URL shown in the Tableau Cloud SCIM settings to the appropriate field in your IdP.
Follow your IdP’s documentation to provision users and groups after enabling SCIM support.
Replace a SCIM secret token
When you need to replace your SCIM (system for cross-domain identity management) secret token, follow the steps below:
In Tableau Cloud, navigate to Settings > Authorization.
Under Automatic Provisioning and Group Synchronization (SCIM), click Generate New Secret.
Reconfigure SCIM to use the new secret token.
An administrator can also revoke a secret token that belongs to another user by deleting that user from Tableau Cloud and then adding them back to the site.