SAML

SAML (Security Assertion Markup Language) is an XML standard that allows secure web domains to exchange user authentication and authorization data. You can configure Tableau Server to use an external identity provider (IdP) to authenticate users over SAML 2.0. No user credentials are stored with Tableau Server, and using SAML enables you to add Tableau to your organization’s single sign-on environment. Tableau Server supports all SAML 2.0 features including multi-factor authentication (MFA), forcing password change on first login, password complexity requirements, account lockout, and more.

You can use SAML server wide, or you can configure sites individually. Here’s an overview of those options:

  • Server-wide SAML authentication. A single SAML IdP application handles authentication for all Tableau Server users. Use this option if your server has only the Default site.

  • Server-wide local authentication and site-specific SAML authentication. In a multi-site environment, users who are not enabled for SAML authentication at the site level can sign in using local authentication.

  • Server-wide SAML authentication and site-specific SAML authentication. In a multi-site environment, all users authenticate through a SAML IdP configured at the site level, and you specify a server-wide default SAML IdP for users that belong to multiple sites.

If you want to use site-specific SAML, you must configure server-wide SAML before you configure individual sites. Server-side SAML does not need to be enabled for site-specific SAML to function, but it must be configured.

User authentication through SAML does not apply to permissions and authorization for Tableau Server content, such as data sources and workbooks. It also does not control access to underlying data that workbooks and data sources connect to.

Note: Tableau Server supports both service provider initiated and IdP initiated SAML in browsers only. Connections from Tableau Desktop or the Tableau Mobile app require that the SAML request be service provider initiated.

The following image shows the steps to authenticate a user with single sign-on in a typical service provider initiated flow:

Single sign-on through SAML

  1. User navigates to the Tableau Server sign-in page or clicks a published workbook URL.

  2. Tableau Server starts the authentication process by redirecting the client to the configured IdP.

  3. The IdP requests the user’s username and password from the user. After the user submits valid credentials, the IdP authenticates the user.

  4. The IdP returns the successful authentication in the form of a SAML Response to the client. The client passes the SAML Response to Tableau Server.

  5. Tableau Server verifies that the username in the SAML Response matches a licensed user stored in the Tableau Server Repository. If a match is verified, then Tableau Server responds to the client with the requested content.

Thanks for your feedback! There was an error submitting your feedback. Try again or send us a message.