Configure SAML with Azure AD IdP on Tableau Server

You can configure Azure AD as a SAML identity provider (IdP), and add Tableau Server to your supported single sign-on (SSO) applications. When you integrate Azure AD with SAML and Tableau Server, your users can sign in to Tableau Server using their standard network credentials.

Before you begin: Prerequisites

Before you can configure Tableau Server and SAML with Azure AD, your environment must have the following:

Step 1: Verify SSL connection to Azure AD

Azure AD requires an SSL connection. If you haven’t done so yet, complete the steps in Configure SSL for External HTTP Traffic to and from Tableau Server, using a certificate that meets the requirements as specified above.

Alternatively, if Tableau Server is configured to work with a reverse proxy or load balancer where SSL is being terminated (commonly referred to as SSL off-loading), then you don’t need to configure external SSL.

If your organization uses Azure AD App proxy, see the section below, Azure AD App Proxy.

Step 2: Configure SAML on Tableau Server

Complete the steps in Configure Server-Wide SAML through downloading the Tableau Server metadata to an XML file. At that point, return here and continue to the next section.

Step 3: Configure Azure AD claim rules

The mapping is case sensitive and requires exact spelling, so double-check your entries. The table here shows common attributes and claim mappings. You should verify the attributes with your specific Azure AD configuration.

LDAP Attribute Outgoing Claim Type
onpremisessamaccountname username
Given-Name

firstName

Note: This is optional.

Surname

lastName

Note: This is optional.

netbiosname

domain

Note: This is only required if you have users signing in from a domain that's not the default domain.

In some organizations, Azure AD as a SAML IdP is used in with Active Directory as the identity store for Tableau Server. In this case, username is usually the sAMAccountName name. See Microsoft's documentation for identifying the sAMAccountName attribute within Azure AD to map to the username attribute.

Step 4: Provide Azure AD metadata to Tableau Server

  1. Return to the TSM web UI, and navigate to Configuration > User Identity & Access > Authentication Method tab.

  2. In Step 4 of the SAML configuration pane, enter the location of the XML file you exported from Azure AD, and select Upload.

    Screen shot highlighting the area of the TSM UI where you upload SAML IDP metadata

  3. Complete the remaining steps (matching assertions and specifying client type access) as specified in Configure Server-Wide SAML. Save and apply changes.

  4. Perform the following steps if this isn’t the first time configuring SAML:

    1. Stop Tableau Server, open TSM CLI, and run the following commands.

      tsm configuration set -k wgserver.saml.sha256 -v true

      tsm authentication saml configure -a 7776000

    2. Apply the changes:

      tsm pending-changes apply

      If the pending changes require a server restart, the pending-changes apply command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behavior. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.

Azure AD App Proxy

If you’re running Azure AD App Proxy in front of Tableau Server and SAML is enabled, then you’ll need to make an additional configuration to Azure AD App Proxy.

Tableau Server can only accept traffic from one URL when SAML is enabled. However, by default, Azure AD App Proxy sets an external URL and an internal URL.

You must set both of these values to the same URL in your custom domain. For more information, see the Microsoft documentation, Configure custom domains with Azure AD Application Proxy(Link opens in a new window).

Troubleshooting

Azure AD App Proxy

In some cases, links to views render internally but fail externally when traffic is crossing an Azure AD App Proxy. The issue arises when there’s a pound sign (#) in the URL and users are accessing the link with a browser. The Tableau Mobile app is able to access URLs with a pound sign.

User session timeouts appear to be ignored

When Tableau Server is configured for SAML, users might experience sign in errors because the IdP maximum authentication age setting is set to a value greater than Tableau's maximum authentication age setting. To resolve this issue, you can use the tsm configuration set option wgserver.saml.forceauthn to require the IdP to reauthenticate the user each time Tableau redirects the authentication request, even if the IdP session for the user is still active.

For example, when the Azure AD setting maxInactiveTime is greater than Tableau Server's setting maxAuthenticationAge, Tableau redirects the authentication request to the IdP who subsequently sends Tableau an assertion that the user is already authenticated. However, because the user was authenticated outside of Tableau Server's maxAuthenticationAge, Tableau rejects the user authentication. In cases like this, you can do one or both of the following:

  • Enable the wgserver.saml.forceauthn option to require the IdP to reauthenticate the user every time Tableau redirects the authentication request. For more information, see wgserver.saml.forceauthn.
  • Increase Tableau Server’s maxAuthenticationAge setting. For more information, see “a, --max-auth-age <max-auth-age>” in the tsm authentication topic.

AppID mismatch

When reviewing the vizportal.log file, you might see "The intended audience doesn’t match the recipient" error.

To resolve this issue, ensure the appID matches what is sent. Azure will automatically append "SPN" to the appID when using the application ID with the app that is being used. You can change the value in the Tableau SAML settings by adding "SPN:" prefix to the application ID.

For example: SPN:myazureappid1234

Thanks for your feedback!