Configure SAML with AD FS on Tableau Server

You can configure Active Directory Federation Services (AD FS) as a SAML identity provider, and add Tableau Server to your supported single sign-on applications. When you integrate AD FS with SAML and Tableau Server, your users can sign in to Tableau Server using their standard network credentials.

Prerequisites

Before you can configure Tableau Server and SAML with AD FS, your environment must have the following:

  • A server running Microsoft Windows Server 2008 R2 (or later) with AD FS 2.0 (or later) and IIS installed.

  • We recommend that you secure your AD FS server (for example, using a reverse proxy). When your AD FS server is accessible from outside your firewall, Tableau Server can redirect users to the sign in page hosted by AD FS.

  • SSL certificate encrypted using SHA-2 (256 or 512 bit) encryption, and that meets the additional requirements listed in the following sections:

Step 1: Verify SSL connection to AD FS

AD FS requires an SSL connection. If you haven’t done so yet, complete the steps in Configure SSL for External HTTP Traffic to and from Tableau Server, using a certificate that meets the requirements as specified above.

Alternatively, if Tableau Server is configured to work with a reverse proxy or load balancer where SSL is being terminated (commonly referred to as SSL off-loading), then you do not need to configure external SSL.

Step 2: Configure SAML on Tableau Server

Complete the steps in Configure Server-Wide SAML through downloading the Tableau Server metadata to an XML file. At that point, return here and continue to the next section.

Step 3: Configure AD FS to accept sign-in requests from Tableau Server

Note: These steps reflect a third-party application and are subject to change without our knowledge.

Configuring AD FS to accept Tableau Server sign-in requests is a multi-step process, starting with importing the Tableau Server XML metadata file to AD FS.

  1. Do one of the following to open the Add Relying Party Trust Wizard:

  2. Windows Server 2008 R2:

    1. Select Start menu> to Administrative Tools> AD FS 2.0.

    2. In AD FS 2.0, under Trust Relationships, right-click the Relying Party Trusts folder, and then click Add Relying Party Trust.

    Windows Server 2012 R2:

    1. Open Server Manager, and then on the Tools menu, click AD FS Management.

    2. In AD FS Management, on the Action menu, click Add Relying Party Trust.

  3. In the Add Relying Party Trust Wizard, click Start.

  4. On the Select Data Source page, select Import data about the relying party from a file, and then click Browse to locate your Tableau Server XML metadata file. By default, this file is named samlspmetadata.xml.

  5. Click Next, and on the Specify Display Name page, type a name and description for the relying party trust in the Display name and Notes boxes.

  6. Click Next to skip the Configure Multi-factor Authentication Now page.

  7. Click Next to skip the Choose Issuance Authorization Rules page.

  8. Click Next to skip the Ready to Add Trust page.

  9. On the Finish page, select the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes check box, and then click Close.

Next, you’ll work in the Edit Claim Rules dialog, to add a rule that makes sure the assertions sent by AD FS match the assertions Tableau Server expects. At a minimum, Tableau Server needs an email address. However, including first and last names in addition to email will ensure the user names displayed in Tableau Server are the same as those in your AD account.

  1. In the Edit Claim Rules dialog box, click Add Rule.

  2. On the Choose Rule Type page, for Claim rule template, select Send LDAP Attributes as Claims, and then click Next.

  3. On the Configure Claim Rule page, for Claim rule name, enter a name for the rule that makes sense to you.

  4. For Attribute store, select Active Directory, complete the mapping as shown below, and then click Finish.

  5. The mapping is case sensitive and requires exact spelling, so double-check your entries. The table here shows common attributes and claim mappings. Verify attributes with your specific Active Directory configuration.

    LDAP Attribute Outgoing Claim Type
    SAM-Account-Name Name ID
    SAM-Account-Name username
    Given-Name firstName
    Surname lastName

If you are running AD FS 2016 or later, then you must add a rule to pass through all claim values. If you are running an older version of AD FS, skip to the next procedure to export AD FS metadata.

  1. Click Add Rule.
  2. Under Claim rule template, choose Pass Through or Filter an Incoming Claim.
  3. Under Claim rule name, enter Windows.
  4. On the Edit Rule - Windows pop-up:
    • Under Incoming claim type, select Windows account name.
    • Select Pass through all claim values.
    • Click OK.

Now you will export AD FS metadata that you’ll import to Tableau Server later. You will also make sure the metadata is configured and encoded properly for Tableau Server, and verify other AD FS requirements for your SAML configuration.

  1. Export AD FS Federation metadata to an XML file, and then download the file from https://<adfs server name>/federationmetadata/2007-06/FederationMetadata.xml.

  2. Open the metadata file in a text editor like Sublime Text or Notepad++, and verify that it is correctly encoded as UTF-8 without BOM.

    If the file shows some other encoding type, save it from the text editor with the correct encoding.

  3. Verify that AD FS uses forms-based authentication. Sign-ins are performed in a browser window, so you need AD FS to default to this type of authentication.

    Edit c:\inetpub\adfs\ls\web.config, search for the tag , and move the line so it appears first in the list. Save the file so that IIS can automatically reload it.

    Note: If you don't see the c:\inetpub\adfs\ls\web.config file, IIS is not installed and configured on your AD FS server.

  4. (Optional) This step is required only if AD FS is configured as an IDP for site-specific SAML. This step is not required if AD FS is configured as the IDP for server-wide SAML.

    Configure an additional AD FS relying party identifier. This allows your system to work around any AD FS issues with SAML logout.

    Do one of the following:

    Windows Server 2008 R2:

    1. In AD FS 2.0, right-click on the relying party you created for Tableau Server earlier, and click Properties.

    2. On the Identifiers tab, in the Relying party identifier box, enter https://<tableauservername>/public/sp/metadata and then click Add.

    Windows Server 2012 R2:

    1. In AD FS Management, in the Relying Party Trusts list, right-click on the relying party you created for Tableau Server earlier, and click Properties.

    2. On the Identifiers tab, in the Relying party identifier box, enter https://<tableauservername/public/sp/metadata and then click Add.

    Note: AD FS can be used with Tableau Server for a single relying party to the same instance. AD FS cannot be used for multiple relying parties to the same instance, for example, multiple site-SAML sites or server-wide and site SAML configurations.

Step 4: Provide AD FS metadata to Tableau Server

  1. Return to the TSM web UI, and navigate to Configuration > User Identity & Access > Authentication Method tab.

  2. In Step 4 of the SAML configuration window, enter the location of the XML file you exported from AD FS, and select Upload.

    Screen shot highlighting the area of the TSM UI where you upload SAML IDP metadata

  3. Complete the remaining steps (matching assertions and specifying client type access) as specified in Configure Server-Wide SAML.

  4. Save and apply changes.

  5. Perform the following steps if this is not the first time configuring SAML:

    1. Stop Tableau Server, open TSM CLI, and run the following commands:

      tsm configuration set -k wgserver.saml.sha256 -v true

      tsm authentication saml configure -a 7776000

    2. Apply the changes:

      tsm pending-changes apply

      If the pending changes require a server restart, the pending-changes apply command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behavior. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!