You can automate adding or removing users from Tableau Online or adding or removing members from groups using your Identity Provider (IdP).
Tableau Online IdP user management uses the System for Cross-domain Identity Management (SCIM) standard, an open standard for automating the exchange of user identity information. SCIM allows IdPs to centrally manage user identities, including assigning users to applications and groups. The IdP uses SCIM to ensure that “downstream” applications are kept in sync with the provisioning assignments set up with the IdP. Managing users in this way improves security and can significantly reduce the manual work that site administrators must do to manage site users and group membership.
In the diagram above, the IdP pushes updates to Tableau Online and controls how often Tableau Online’s SCIM endpoints are called to ensure users and groups are appropriately mirrored.
The steps later in this topic provide general information that you can use with your IdP’s documentation to configure SCIM for your Tableau Online site. You can get IdP-specific configuration steps for the following IdPs we support:
We intend to support additional IdPs as the functionality evolves. If you have questions about future plans, email our SCIM pre-release team.
To enable SCIM integration with your Tableau Online site, you’ll need the appropriate levels of access:
Site administrator access to the Tableau Online site
Ability to modify your IdPs configuration settings for Tableau Online
Additionally, the SCIM functionality requires that you configure your site to support SAML single sign-on. If you haven’t done this, see Enable SAML Authentication on a Site, and then follow your IdP’s documentation to add Tableau Online as an application.
Enable SCIM support with your IdP
Use the following steps to enable SCIM support. To complete this process, you’ll also need the documentation your IdP provides. Look for topics that refer to configuring or enabling a service provider for SCIM provisioning.
Note: After enabling SCIM, users and their attributes should be managed through the IdP. Changes made within Tableau Online directly may result in unexpected behavior and overwritten values.
Sign in to your Tableau Online site as a site administrator, and select Settings > Authentication.
On the Authentication page in Tableau Online, under Automatic Provisioning and Group Synchronization (SCIM), select the Enable SCIM check box.
This populates the Base URL and Secret boxes with values you will use in the IdP’s SCIM configuration.
Important: The secret token is displayed only immediately after it is generated. If you lose it before you can apply it to your IdP, you can select Generate New Secret. In addition, the secret token is tied to the Tableau Online user account of the site administrator who enables SCIM support. If that user’s site role changes or the user is removed from the site, the secret token becomes invalid, and another site administrator must generate a new secret token and apply it to your IdP.
Copy the secret token value, and then navigate to your IdP settings. Paste the Tableau Online SCIM secret token in the appropriate field.
Copy and paste the Base URL shown in the Tableau Online SCIM settings to the appropriate field in your IdP.
Follow your IdP’s documentation to provision users and groups after enabling SCIM support.
Replace a SCIM secret token
When you need to replace your SCIM (system for cross-domain identity management) secret token, follow the steps below:
In Tableau Online, navigate to Settings > Authorization.
Under Automatic Provisioning and Group Synchronization (SCIM), click Generate New Secret.
Reconfigure SCIM to use the new secret token.
An administrator can also revoke a secret token that belongs to another user by deleting that user from Tableau Online and then adding them back to the site.