Configure SCIM with PingFederate


You can configure user management, provision groups, and assign Tableau Cloud site roles through PingFederate.

While you complete the steps described below, we recommend you have the PingFederate documentation available to you to accompany the procedures described below.

Important:

  • These steps reflect a third-party application and are subject to change without our knowledge. If the steps described here do not match the screens you see in your IdP account, you can use the general SCIM topic along with the IdP’s documentation.

  • The configuration steps in the IdP may be in a different order than what you see in Tableau.

Step 1: Perform prerequisites

To perform the procedures described in this document, you must have the following prerequisites met:

Step 2: Start configuring SAML in Tableau Cloud

The SCIM functionality in Tableau Cloud requires that you configure your site to support SAML single sign-on (SSO). You will return to and update this SAML configuration later on in this topic.

  1. Sign in to your Tableau Cloud site as a site administrator, and select Settings > Authentication.

  2. On the Authentication tab, click the New Configuration button, select SAML from the Authentication drop-down, and then enter a name for the configuration.

    Screen shot of Tableau Cloud site authentication settings -- new configuration page

    Note: Configurations created before January 2025 (Tableau 2024.3) can't be renamed.

  1. Skip 1. Export metadata from IdP. You will revisit this step later on in this topic.

  2. Under 2. Upload metadata to Tableau, upload a placeholder .xml metadata file. You will replace this file with a valid .xml metadata file from PingFederate later on in this topic.

  3. Click Save.

Step 3: Enable SCIM support in Tableau Cloud

Use the following steps to enable SCIM support in Tableau Cloud. You will use the information in this section to enable SCIM in PingFederate.

  1. Sign in to your Tableau Cloud site as a site administrator, and select Settings > Authentication.

  2. On the Authentication page, under System for Cross-domain Identity Management (SCIM), click the New Configuration button.

  3. In the New SCIM Configuration dialog box, do the following:

    1. Enter a name for the SCIM configuration.

    2. Copy the Base URL to use in your IdP's SCIM settings.

    3. From the Authentication drop-down, select the SAML authentication configuration to associate with SCIM.

    4. Click Save.

      Note: This populates the SCIM token section.

  4. Under SCIM token, do the following:

    1. Click the New Secret button.

    2. In the New Secret dialog box, click the New Secret button again. A newly generated secret will display.

    3. Copy the secret and store it in a safe location. We'll use the secret in step 4.2.1.

      Important:

      • If you close the SCIM configuration before you can add the secret to your IdP's SCIM settings, you can edit SCIM configuration but will be required to click New Secret again to generate a new secret.

      • The secret is tied to the Tableau site administrator user who created the SCIM configuration. If that user’s site role changes or the user is no longer a member of the site, the secret becomes invalid. In this case, another site administrator can generate a new secret for the existing SCIM configuration and add it to the IdP's SCIM settings or create a new SCIM configuration ensuring the base URL and secret is added to the IdP's SCIM settings.

    4. Click Close.

Step 4: Enable single sign-on (SSO) in PingFederate

To enable SAML SSO in your PingFederate environment, you must do the following:

  1. Create an IdP adapter instance
  2. Configure an SP connection
  3. Map attributes in your Ping data store
  4. Configure SAML SSO

Important: As a reminder, the steps and examples described here are for demonstration purposes only.

Step 4.1: Create an IdP adapter instance

Follow each of the sections below to create the HTML Form Adapter(Link opens in a new window). PingFederate uses IdP adapters, such as the HTML Form Adapter, to authenticate users. An IdP adapter looks up session information and provides user identification to PingFederate.

  1. Sign into the PingFederate administrative console.

  2. Select Authentication > IdP Adapters.

  3. On the IdP Adapters page, click Create New Instance button to start the Create Adapter Instance configuration.

Step 4.1.1: Create Adapter Instance (part 1)

  1. On the Create Adapter Instance page, on the Type tab, do the following:

    1. For INSTANCE NAME, enter a name. For example, "credentailsValidatoreInstance".

    2. For INSTANCE ID, enter a value. For example, "3".

    3. In the TYPE drop-down list, select HTML Form IdP Adapter.

    4. Keep PARENT INSTANCE as-is (None).

    5. Click the Next button.

Step 4.1.2: Create Credentials Validator

  1. On the IdP Adapter tab, do the following:

    1. Scroll to the bottom of the page and click the Manage Password Credential Validators button.

    2. On the Manage Password Credential Validators page, click the Create New Instance button.

  2. On the Create Credentials Validator Instance page, on the Type tab, do the following:

    1. For INSTANCE NAME, enter a name. For example, "credentialsValidatorInstance".

    2. For INSTANCE ID, enter a value. For example, "3".

    3. From the TYPE drop-down list, select LDAP Username Password Credential Validator.

    4. Keep PARENT INSTANCE as-is (None).

    5. Click the Next button.

  3. On the Instance Configuration tab, do the following:

    1. From the LDAP DATASTORE drop-down, select Ping Directory data source that was previously configured.

    2. In the SEARCH BASE field, enter the following: dc=example,dc=com.

    3. In the SEARCH FILTER field, enter the following: mail=${username}

    4. Keep the other settings as-is.

    5. Click the Next button.

  4. On the Summary tab, review the details and click the Save button.

  5. Back on the Manage Password Credential Validators page, click the Done button.

  6. Back on the Create Adapter Instance page, under the Password Credential Validator Instance section, do the following:

    1. Click the Add a new row to `Credential Validators` link.

    2. From the drop-down menu that displays, select the newly created validator instance you created. For example, "credentialsValidatorInstance".

    3. Click the Update link.

    4. Click the Next button.

Step 4.1.3: Create Adapter Instance (part 2)

  1. Back on the Extended Contract tab, do the following:

    1. Under the Extended the Contract section, do the following:

      1. In the text box, enter "sn" and click the Add button.

    2. Click the Next button.

  2. On the Adapter Attributes tab, do the following:

    1. From the UNIQUE USER KEY ATTRIBUTE drop-down, select username.

    2. For username, select the Pseudonym check box.

    3. Click the Next button.

  3. On the Adapter Contract Mapping tab, click the Configure Adapter Contract button.

Step 4.1.4: Configure adapter contract mapping (part 1)

  1. On the Adapter Sources & Users Lookup tab, click the Add Attribute Source button.

Step 4.1.5: Configure attribute sources & user lookup

  1. On the Data Store tab, do the following:

    1. For ATTRIBUTE SOURCE ID, enter a name. For example, "attributeSourceUserLookup".

    2. For ATTRIBUTE SOURCE DESCRIPTION, enter a description. For example, "attributeSourceId".

    3. From ACTIVE DATA STORE, select the Ping Directory data store that was previously configured.

    4. Click the Next button.

  2. On the LDAP Directory Search tab, do the following:

    1. For BASE DN, enter the following: dc=example,dc=com

    2. Under the Attributes to return from search section, do the following:

      1. In the ROOT OBJECT CLASS column, select Show All Attributes.

      2. Under the Option column, in the text box, select givenName and then click the Add Attribute button.

      3. In the text box, select sn and then click the Add Attribute button.

    3. Click the Next button.

  3. In the LDAP Filter tab, do the following:

    1. In the FILTER text box, enter the following: mail=${username}

    2. Click the Next button.

  4. On the Summary tab, click the Save button

Step 4.1.6: Configure adapter contract mapping (part 2)

  1. On the Attribute Sources & User Lookup tab, select the newly created adapter contract you created. For example, "attributeSourceId".

  2. On the Adapter Contract Fulfillment tab, do the following:

    1. For givenName, from the Source drop-down list, select LDAP (attributeSourceId); from the Value drop-down list, select givenName.

    2. For policy.action, from the Source drop-down list, leave as-is (Adapter).

    3. For sn, from the Source drop-down, select LDAP (attributeSourceId); from the Value drop-down list, select sn.

    4. For username, keep the value as-is (Adapter).

    5. Click the Next button.

  3. On the Issuance Criteria tab, click Next button.

  4. On the Summary tab, review the details and click the Save button.

Step 4.2: Create an SP connection

Follow each of the sections below to create an SP connection. PingFederate uses SP connections for IDP-initiated single sign-on (SSO).

  1. From the PingFederate administrative console, navigate to Applications > SP Connections.

  2. On the SP Connections page, click the Create Connection button.

  3. On the Connection Template tab, keep the setting as-is (DO NOT USE A TEMPLATE FOR THIS CONNECTION) and click the Next button.

  4. On the Connection Type tab, do the following:

    1. Select the BROWSER SSO Profiles check box.

      1. Under PROTOCOL drop-down list, keep the value as-is (SAML 2.0).

    2. Select the OUTBOUND PROVISIONING check box.

    3. Click the Next button.

  5. On the Connection Options tab, click the Next button.

  6. On the Import Metadata tab, keep the value as-is (NONE), and click the Next button.

  7. On the General Info tab, do the following:

    1. For PARTNERS ENTITY ID, enter the Tableau Cloud entity ID from the SAML configuration in Tableau Cloud that you started in Step 2. For example, "https://sso.online.tableau.com/public/sp/metadata/25db875a-cace-4769-8429-d7b210879ef2/36673dc4-e2c1-4970-976f-255bda6036cb".

    2. For CONNECTION NAME, enter a name. For example, "SCIM Connector".

    3. Click the Next button.

  8. On the Outbound Provisioning tab, click the Configure Provisioning button.

Step 4.2.1: Create Configure Channel

  1. On the Target tab, do the following:

    1. For SCIM URL, enter the Base URL from the SCIM configuration in Tableau Cloud that you created in Step 3. For example, "https://scim.online.tableau.com/pods/cd-main/sites/25db875a-cace-4769-8429-d7b210879ef2/scim/v2".

    2. For SCIM VERSION, keep the value as-is (2.0).

    3. From the AUTHENTICATION METHOD drop-down list, select OAUTH 2 BEARER TOKEN.

    4. For ACCESS TOKEN, enter the SCIM token secret from the SCIM configuration in Tableau Cloud that you created in Step 3.

    5. For UNIQUE USER IDENTIFIER, keep the value as-is (userName).

    6. For RESULTS PER PAGE, enter the following value: 25. We recommend changing this value for better performance.

    7. For PROVISIONING OPTIONS, ensure the following check boxes are selected:

      1. USER CREATE

      2. USER UPDATE

      3. USER DISABLE /DELETE

      4. PROVISION DISABLED USERS

    8. For REMOVE USER ACTION, keep that value as-is (Disable). We recommend this option to change the user's role to Unlicensed in Tableau Cloud if they are removed from PingFederate IdP.

    9. For GROUP NAME SOURCE, do the following:

      1. In the drop-down list, keep the value as-is (Common Name).

      2. Select the USE PATCH FOR GROUP UPDATES check box.

    10. For CUSTOM ATTRIBUTE SCHEMA URNS, enter the following value:

      urn:ietf:params:scim:schemas:extension:tableau:3.0:User,urn:ietf:params:scim:schemas:extension:tableau:3.0

    11. Click the Next button.

  2. In the Configure Channels page, on the Target tab, click the Create button.

  3. In the Channel Info tab, for CHANNEL NAME, enter a name and click the Next button.

  4. In the Source tab, do the following:

    1. From the ACTIVE DATA STORE drop-drop down list, select the Ping data store.

    2. From the TYPE drop-down list, select LDAP.

    3. Click the Next button.

  5. In the Source Settings tab, validate the following values:

    1. For ENTRY GUID ATTRIBUTE, the value is entryUUID.

    2. For GROUP MEMBER ATTRIBUTE, the value is uniqueMember.

    3. For USER OBJECTCLASS, the value is inetOrgPerson.

    4. For GROUP OBJECTCLASS, the value is groupOfUniqueNames.

    5. Click the Next button.


  6. In the Source Location tab, do the following:

    1. For BASE DN, enter the following: dc=example,dc=com

    2. Under the Users section, for FILTER, enter the following: objectClass=inetOrgPerson

    3. Under the Groups section, for FILTER, enter the following: objectClass=groupOfUniqueNames

    4. Click the Next button.

  7. In the Attribute Mapping tab, do the following:

    1. Edit the userName attribute to "mail" by doing the following:

      1. In the userName row, click Edit.

      2. Under the Root Object class, select <Show All Attributes>.

      3. From the Attributes drop-down list, select mail.

      4. Click the Add Attribute button.

      5. Next to the uuid attribute, click the Remove link.

    2. Keep the remaining attributes as-is.

    3. Click the Next button.

  8. In the Activation & Summary tab, do the following:

    1. For Channel Status, select Active.

    2. Click the Save Draft button.


Step 4.3: Map SCIM attributes to your Ping data store

Follow the steps below to map the SCIM attributes in the Ping data store through the PingData administrative console.

  1. Sign in to the PingData administrative console.

  2. From the left navigation pane, navigate to LDAP Schema and click the Attribute Types tab.

Step 4.3.1: Create new attribute types

  1. Click the Actions button and select New Attribute Type.

  2. In the New Attribute Type dialog box, do the following:

    1. For Name, enter the following: siteRoles

    2. For Description, enter a description. For example, "Custom attribute for site roles on Tableau Cloud."

    3. Click Save.

  3. Repeat the above step and do the following in the New Attribute Type dialog box:

    1. For Name, enter the following: entitlements

    2. For Description, enter a description. For example, "Custom attribute for entitlements on Tableau Cloud."

    3. Click Save.

Step 4.3.2: Create new object class

  1. From the top of the page, click the Object Class tab, click the Actions button, and then select New Object Class.

  2. In the New Object Class dialog box, do the following:

    1. For Name, enter the following: Tableau.

    2. For Description, enter a description. For example, "Add siteRoles attribute as entitlements".

    3. From the Parent drop-down list, select inetOrgPerson.

    4. From the Type drop-down list, select Structural.

    5. Under the Attributes section, do the following:

      1. For Required Attribute, find and select sn and click the Add item arrow button.

      2. For Required Attributes, find and select cn and click the Add item arrow button.

      3. For Required Attributes, find and select objectClass and click the Add item arrow button.

      4. For Optional Attributes, find and select siteRoles and in the click the Add item arrow button.

      5. For Optional Attributes, find and select entitlements and click the Add item arrow button.

    6. Click Save.

Step 4.4: Configure SAML

Follow the procedure below to edit the SP connection that you created earlier to support SAML SSO.

  1. In the PingFederate administrative console, at the top of the page, select Applications > SP Connections.

  2. On the SP Connections page, do the following:

    1. Click the connection name you created in Step 4.2.

    2. Click the Connection tab.

  3. On the Connection tab, keep the selections as-is and click the Next button.

  4. On the Connections Options tab, keep the selection as-is (BROWSER SSO) and click the Next button.

  5. On the Import Metadata tab, keep the selection as-is (NONE) and click the Next button.

  6. On the General Info tab, do the following:

    1. For PARTNERS ENTITY ID, replace the text with the Tableau Cloud entity ID from the SAML configuration in Tableau Cloud that you started in Step 2. For example, https://sso.online.tableau.com/public/sp/metadata/25db875a-cace-4769-8429-d7b210879ef2/36673dc4-e2c1-4970-976f-255bda6036cb.

    2. (Optional) Update the CONNECTION NAME.

    3. Click the Next button.

  7. On the Browser SSO tab, click the Configure Browser SSO button.

  8. On the SAML Profiles tab, do the following:

    1. Under the Single Sign-On (SSO) Profiles section, do the following:

      1. Select IDP-INITIATED SSO check box.

      2. Select SP-INITIATED SSO check box.

    2. Click the Next button.

  9. On the Assertion Lifetime tab, keep the values as-is and click the Next button.

  10. On the Assertion Creation tab, click Configure Assertion Creation button.

  11. On the Identity Mapping tab, keep the selection as-is (STANDARD) and click the Next button.

  12. On the Attribute Contract tab, do the following:

    1. Under Subject Name Format section, keep the value as-is (urn:oasis:names:tc:SAML:nameid-format:unspecified).

    2. Under the Extend the Contract section, do the following:

      1. In the text box, enter the following: FirstName

      2. Under the Attribute Name Format, select urn:oasis:names:tc:SAML:2.0:attrname-format:basic.

      3. Click the Add button.

      4. In the text box, enter the following: LastName

      5. Under the Attribute Name Format, select urn:oasis:names:tc:SAML:2.0:attrname-format:basic.

      6. Click the Add button.

    3. Click the Next button.

  13. On the Authentication Source Mapping tab, click Map New Adapter Instance button.

  14. On the IdP Adapter Mapping page, on the Adapter Instance tab, select the adapter you created in Step 4.1.1 and click the Next button. For example, "credentialsValidatorInstance".

  15. On the Mapping Method tab, keep the value as-is (USE ONLY THE ADAPTER CONTRACT VALUES IN THE SAML ASSERTION) and click the Next button.

  16. On the Attribute Contract Fulfillment tab, do the following:

    1. Next to FirstName, do the following:

      1. From the Source drop-down, select Adapter.

      2. From the Value drop-down list, select givenName.

    2. Next to LastName, do the following:

      1. From the Source drop-down, select Adapter.

      2. From the Value drop-down list, select sn.

    3. Next to SAML_SUBJECT,

      1. From the Source drop-down, select Adapter.

      2. From the Value drop-down list, select username.

    4. Click the Next button.

  17. On the Issuance Criteria tab, click the Next button.

  18. On the Summary tab, review the details and click the Done button.

  19. On the Assertion Creation tab, review the details and click the Done button.

  20. On the Assertion Creation tab, click the Next button.

  21. On the Protocol Settings page, click the Configure Protocol Settings button.

  22. On the Protocol Settings page, on the Assertion Consumer Service URL tab, do the following:

    1. Under Default, select the check box.

    2. Under Binding, select POST.

    3. Under Endpoint URL, enter the ACS URL from the SAML configuration in Tableau Cloud that you started in Step 2 and click the Add button. For example, "https://sso.online.tableau.com/public/sp/SSO/25db875a-cace-4769-8429-d7b210879ef2/36673dc4-e2c1-4970-976f-255bda6036cb".

    4. Click the Next button.

  23. On the Allowable SAML Bindings tab, do the following:

    1. Ensure the POST and REDIRECT check boxes are selected and remove selections for the other check boxes.

    2. Click the Next button.

  24. On the Signature Policy tab, click the Next button.

  25. On the Encryption Policy tab, keep the selection as-is (None) and click the Next button.

  26. On the Summary tab, review the details and click the Done button.

  27. On the Browser SSO page, on the Protocol Settings tab, click the Next button.

  28. On the Summary tab, review the details and click the Done button.


  29. On the SP Connection page, on the General Info tab, click the Next button.

  30. On the Configure Browser SSO tab, click the Next button.

  31. On the Credentials tab, click the Configure Credentials button.

  32. On the Digital Signature Settings tab, do one the following: 

    • If you already have an existing, valid signing certificate, do the following:

      1. From the SIGNING CERTIFICATE drop-down, select the existing certificate and click the Next button.

      2. Skip to step 38.

    • If you don't have an existing, valid signing certificate, do the following:

      1. Click the Manage Certificates button.

      2. Continue to step 33.

  33. On the Certificate Management page, click the Create New button.

  34. On the Create Certificate page, on the Create Certificate tab, do the following:

    1. For COMMON NAME, enter a name. For example, "PingFedCert".

    2. For ORGANIZATION, enter a name. For example, "Tableau".

    3. For COUNTRY, enter a country name.

    4. Click the Next button.

  35. On the Summary tab, ensure that MAKE THIS ACTIVE CERTIFICATE check box is selected, and click the Save button.

  36. On the Certificate Management page, click the Done button.

  37. On the Credentials page, do the following:

    1. From the SIGNING CERTIFICATE drop-down, select the newly created certificate.

    2. Click the Next button.

  38. On the Summary page, click the Done button.

  39. On the SP Connection page, on the Outbound Provisioning tab, click the Next button.

  40. On the Activation & Summary tab, review the details and click the Done button.

Step 5: Export metadata from PingFederate

To finish setting up SAML in Tableau Cloud, you'll need the SAML metadata file (.xml) from PingFederate to upload to Tableau Cloud.

  1. On the PingFederate administrative console, select System > Protocol Metadata > Metadata Export.

  2. On the Metadata Export page, on the Metadata Role tab, keep the selection as-is (I AM THE IDENTITY PROVIDER (IDP)) and click the Next button.

  3. On the Metadata Mode tab, keep the selection as-is (USE A CONNECTION FOR METADATA GENERATION) and click the Next button.

  4. On the Connection Metadata tab, from the drop-down, select the SP Connection that you created in Step 4.2, and click the Next button.

  5. On the Metadata Signing tab, from the SIGNING CERTIFICATE drop-down list, select the certificate you created in Step 4.4, and then click the Next button.

  6. On the Export & Summary tab, click the Export button to download the PingFederate metadata file, and then click the Done button.

Step 6: Finish configuring SAML in Tableau Cloud

The following steps need to be performed in Tableau Cloud.

  1. Back in Tableau Cloud, on the New Configuration page, under 2. Upload metadata to Tableau, click the Choose a file button and navigate to the SAML metadata file you saved from PingFederate in Step 5. This automatically fills the IdP entity ID and SSO Service URL values.

  2. Map the attribute names (assertions) under 3. Map attributes to the corresponding attribute names in PingFederate.

  3. Under 4. Choose default for embedding views (optional), select the experience you want to enable when users access embedded content. For more information, see the About enabling iFrame embedding section below.

  4. Click the Save and Continue button.

About enabling iFrame embedding

Note: Applies to Tableau Cloud only.

When you enable SAML on your site, you need to specify how users sign in to access views embedded in web pages. These steps configure Okta to allow authentication using an inline frame (iFrame) for embedded visualization. Inline frame embedding may provide a more seamless user experience when signing on to view embedded visualizations. For example, if a user is already authenticated with your identity provider and iFrame embedding is enabled, the user would seamlessly authenticate with Tableau Cloud when browsing to pages that contain embedded visualizations.

Caution: Inline frames can be vulnerable to a clickjack attack. Clickjacking is a type of attack against web pages in which the attacker tries to lure users into clicking or entering content by displaying the page to attack in a transparent layer over an unrelated page. In the context of Tableau Cloud, an attacker might try to use a clickjack attack to capture user credentials or to get an authenticated user to change settings. For more information about clickjack attacks, see Clickjacking(Link opens in a new window) on the Open Web Application Security Project website.

Notes for SCIM support with PingFederate

  • Due to limitations in PingFederate, a siteRole update on a group will not initiate siteRole updates on the users within that group. This could result in a stale siteRole attribute assignment. To work around this issue, you can use a non-custom attribute update alongside the siteRole attribute update to initiate the siteRole update. This can be done manually or automatically using one of the following options:

    • Manage siteRoles only on the user object.
    • After a group update, manually update any of the attributes for that user. It doesn't have to be a SCIM supported attribute like the site role. It can be a description or name attribute.
    • Set up an OGNL expression in PingFederate and perform group membership updates before the Ping Server has started. Once you start Ping Server, it will trigger a siteRole attribute update.
    • Set up an OGNL expression in PingFederate. Additionally, set up an inverted static group and cron job to trigger siteRole updates.

  • An OGNL expression in PingFederate will evaluate the attributes across the user and their group membership to determine their siteRole.

Back to top
Thanks for your feedback!Your feedback has been successfully submitted. Thank you!