Configure SAML for Tableau Viz Lightning Web Component
Tableau provides a Lightning Web Component (LWC) for embedding a Tableau visualization within a Salesforce Lightning page.
This topic describes how to enable a SSO experience for embedded Tableau visualizations in a Salesforce Lightning page. SSO for the Tableau Viz LWC scenario requires SAML configuration. The SAML IdP used for Tableau authentication must be either the Salesforce IdP or same IdP that is used for your Salesforce instance.
In this scenario, Salesforce administrators can drag-and-drop Tableau Viz LWC into the Lightning page to embed a visualization. Any view that is available to them on Tableau
When single sign-on (SSO) is configured for Tableau Viz LWC on Tableau
When SSO is not configured, then users will need to reauthenticate with Tableau
- The SAML IdP used for Tableau authentication must be either the Salesforce IdP or same IdP that is used for your Salesforce instance.
- SAML must be configured on Tableau Server. See Configure Server-Wide SAML, or Configure Site-Specific SAML.
- SAML must be configured for Salesforce.
- Install the Tableau Viz Lightening Web Component. See Embed Tableau Views into Salesforce(Link opens in a new window).
Configuring the authentication workflow
You may need to make additional configurations to optimize the sign-in experience for users who access Lightning with embedded Tableau views.
If a seamless authentication user experience is important, then you will need to make some additional configurations. In this context, “seamless” means that users who access the Salesforce Lightning page where Tableau Viz LWC SSO has been enabled, will not be required to perform any action to view the embedded Tableau view. In the seamless scenario, if the user is logged into Salesforce, then embedded Tableau views will be displayed with no additional user action. This scenario is enabled by in-frame authentication.
For a seamless user experience you will need to enable in-frame authentication on Tableau
On the other hand, there are scenarios where users are interacting with the Lightning page that will require them to click a “Sign in” button to view the embedded Tableau view. This scenario, where a user must take another action to view the embedded Tableau view, is called pop-up authentication.
Pop-up authentication is the default user experience if you do not enable in-frame authentication.
Enable in-frame authentication on Tableau Server
Before you enable in-frame authentication on Tableau Server, you must have already configured and enabled SAML on Tableau Server.
Run the following TSM commands to enable in-frame authentication:
tsm configuration set -k wgserver.saml.iframed_idp.enabled -v true
tsm pending-changes apply
Note: Clickjack protection is enabled by default on Tableau Server. When you enable in-frame authentication, clickjack protection is disabled. You should evaluate the risk of disabling clickjack protection. See Clickjack Protection.
Tableau Server Versioning
For the best user experience, run the latest maintenance release of Tableau Server.
If you are not running the latest maintenance release, and your users are running Chrome browsers to access Salesforce Lightning, then review the Tableau KB article, Embedded Views Fail to Load After Updating to Chrome 80(Link opens in a new window).
Enable in-frame authentication with your SAML IdP
As described above, a seamless authentication user experience with Salesforce Mobile requires IdP support for in-frame authentication. This functionality may also be referred to as “iframe embedding” or “framing protection” at IdPs.
Salesforce safelist domains
In some cases, IdPs only allow enabling in-frame authentication by domain. In those cases, set the following Salesforce wildcard domains when you enable in-frame authentication:
Salesforce IdP supports in-frame authentication by default. You do not need to enable or configure in-frame authentication in the Salesforce configuration.
See Embed Okta in an iframe, in the Okta Help Center topic, General customization options(Link opens in a new window).
See the Ping support topic, How to Disable the "X-Frame-Options=SAMEORIGIN" Header in PingFederate(Link opens in a new window).
See Framing protection, in the OneLogin Knowledge Base article, Account Settings for Account Owners(Link opens in a new window).
ADFS and Azure AD IdP
Microsoft has blocked all in-frame authentication and it cannot be enabled. Instead, Microsoft only supports pop-up authentication in a second window. As a result, pop up behavior can be blocked by some browsers, which will require users to accept pop ups for the
Salesforce Mobile App
If your users primarily interact with Lightning on the Salesforce Mobile App, then you should be aware of the following scenarios:
- The Salesforce Mobile App requires that you configure SSO/SAML to view embedded Tableau.
- The Salesforce Mobile App requires in-frame authentication. Pop-up authentication does not work. Instead, users on the Salesforce Mobile App will see the Tableau sign-in button but will not be able to sign to Tableau.
- Mobile App will not work on ADFS and Azure AD IdP.
- The Mobile App uses OAuth tokens to enable SSO. There are scenarios where the OAuth token refreshes and logs users out, requiring users to log back in. To learn more, see the Tableau KB article, Tableau Viz Lightning Web Component On Salesforce Mobile App Prompts for Sign-in(Link opens in a new window).
The SSO behavior differs according to the version of Salesforce Mobile App (iOS vs Android) and the the IdP:
IdP Mobile OS SSO behavior Salesforce IdP Android SSO works initially, but users will need to sign-in after some time. iOS External IdP Android SSO does not work. Users will need to manually sign-in. (SSO must still be configured to enable users access to embedded Tableau views). iOS SSO works initially, but users will need to sign-in after some time.