Configure SAML for Tableau Viz Lightning Web Component

Tableau provides a Lightning Web Component (LWC) for embedding a Tableau visualization within a Salesforce Lightning page.

This topic describes how to enable a SSO experience for embedded Tableau visualizations in a Salesforce Lightning page. SSO for the Tableau Viz LWC scenario requires SAML configuration. The SAML IdP used for Tableau authentication must be either the Salesforce IdP or same IdP that is used for your Salesforce instance.

In this scenario, Salesforce administrators can drag-and-drop Tableau Viz LWC into the Lightning page to embed a visualization. Any view that is available to them on Tableau Server can be displayed in the dashboard by entering the embedded URL to the view.

When single sign-on (SSO) is configured for Tableau Viz LWC on Tableau Server, the user experience is seamless: after the user signs into Salesforce, embedded Tableau views will work without further authentication to Tableau Server.

When SSO is not configured, then users will need to reauthenticate with Tableau Server to view embedded visualizations from Tableau Server.

Requirements

Configuring the authentication workflow

You may need to make additional configurations to optimize the sign-in experience for users who access Lightning with embedded Tableau views.

If a seamless authentication user experience is important, then you will need to make some additional configurations. In this context, “seamless” means that users who access the Salesforce Lightning page where Tableau Viz LWC SSO has been enabled, will not be required to perform any action to view the embedded Tableau view. In the seamless scenario, if the user is logged into Salesforce, then embedded Tableau views will be displayed with no additional user action. This scenario is enabled by in-frame authentication.

For a seamless user experience you will need to enable in-frame authentication on Tableau Server and at your IdP. The sections below describe how to configure in-frame authentication.

On the other hand, there are scenarios where users are interacting with the Lightning page that will require them to click a “Sign in” button to view the embedded Tableau view. This scenario, where a user must take another action to view the embedded Tableau view, is called pop-up authentication.

Pop-up authentication is the default user experience if you do not enable in-frame authentication.

Enable in-frame authentication on Tableau Server

Before you enable in-frame authentication on Tableau Server, you must have already configured and enabled SAML on Tableau Server.

Run the following TSM commands to enable in-frame authentication:

tsm configuration set -k wgserver.saml.iframed_idp.enabled -v true

tsm pending-changes apply

Note: Clickjack protection is enabled by default on Tableau Server. When you enable in-frame authentication, clickjack protection is disabled. You should evaluate the risk of disabling clickjack protection. See Clickjack Protection.

Tableau Server Versioning

For the best user experience, run the latest maintenance release of Tableau Server.

If you are not running the latest maintenance release, and your users are running Chrome browsers to access Salesforce Lightning, then review the Tableau KB article, Embedded Views Fail to Load After Updating to Chrome 80(Link opens in a new window).

Enable in-frame authentication with your SAML IdP

As described above, a seamless authentication user experience with Salesforce Mobile requires IdP support for in-frame authentication. This functionality may also be referred to as “iframe embedding” or “framing protection” at IdPs.

Salesforce safelist domains

In some cases, IdPs only allow enabling in-frame authentication by domain. In those cases, set the following Salesforce wildcard domains when you enable in-frame authentication:

*.force

*.visualforce

Salesforce IdP

Salesforce IdP supports in-frame authentication by default. You do not need to enable or configure in-frame authentication in the Salesforce configuration. However, you must run the TSM command on Tableau Server as described above.

Okta IdP

See Embed Okta in an iframe, in the Okta Help Center topic, General customization options(Link opens in a new window).

Ping IdP

See the Ping support topic, How to Disable the "X-Frame-Options=SAMEORIGIN" Header in PingFederate(Link opens in a new window).

OneLogin IdP

See Framing protection, in the OneLogin Knowledge Base article, Account Settings for Account Owners(Link opens in a new window).

ADFS and Azure AD IdP

Microsoft has blocked all in-frame authentication and it cannot be enabled. Instead, Microsoft only supports pop-up authentication in a second window. As a result, pop up behavior can be blocked by some browsers, which will require users to accept pop ups for the force.com and visualforce.com sites.

Salesforce Mobile App

If your users primarily interact with Lightning on the Salesforce Mobile App, then you should be aware of the following scenarios:

  • The Salesforce Mobile App requires that you configure SSO/SAML to view embedded Tableau.
  • The Salesforce Mobile App requires in-frame authentication. Pop-up authentication does not work. Instead, users on the Salesforce Mobile App will see the Tableau sign-in button but will not be able to sign to Tableau.
  • Mobile App will not work on ADFS and Azure AD IdP.
  • The Mobile App uses OAuth tokens to enable SSO. There are scenarios where the OAuth token refreshes and logs users out, requiring users to log back in. To learn more, see the Tableau KB article, Tableau Viz Lightning Web Component On Salesforce Mobile App Prompts for Sign-in(Link opens in a new window).
  • The SSO behavior differs according to the version of Salesforce Mobile App (iOS vs Android) and the the IdP:
    IdPMobile OSSSO behavior
    Salesforce IdPAndroidSSO works initially, but users will need to sign-in after some time.
    iOS
    External IdPAndroidSSO does not work. Users will need to manually sign-in. (SSO must still be configured to enable users access to embedded Tableau views).
    iOSSSO works initially, but users will need to sign-in after some time.
Thanks for your feedback!