Configure SAML with Azure AD IdP on Tableau Server
You can configure Azure AD as a SAML identity provider (IdP), and add Tableau Server to your supported single sign-on (SSO) applications. When you integrate Azure AD with SAML and Tableau Server, your users can sign in to Tableau Server using their standard network credentials.
Before you begin: Prerequisites
Before you can configure Tableau Server and SAML with Azure AD, your environment must have the following:
SSL certificate encrypted using SHA-2 (256 or 512 bit) encryption, and that meets the additional requirements listed in the following sections:
If your users are signing in from a domain that’s not the default domain, review SAML Requirements and User Management in Deployments with External Identity Stores to ensure the domain attribute value is set and defined to avoid any sign in issues later on.
Step 1: Verify SSL connection to Azure AD
Azure AD requires an SSL connection. If you haven’t done so yet, complete the steps in Configure SSL for External HTTP Traffic to and from Tableau Server, using a certificate that meets the requirements as specified above.
Alternatively, if Tableau Server is configured to work with a reverse proxy or load balancer where SSL is being terminated (commonly referred to as SSL off-loading), then you don’t need to configure external SSL.
If your organization uses Azure AD App proxy, see the section below, Azure AD App Proxy.
Step 2: Configure SAML on Tableau Server
Complete the steps in Configure Server-Wide SAML through downloading the Tableau Server metadata to an XML file. At that point, return here and continue to the next section.
Step 3: Configure Azure AD claim rules
The mapping is case sensitive and requires exact spelling, so double-check your entries. The table here shows common attributes and claim mappings. You should verify the attributes with your specific Azure AD configuration.
|LDAP Attribute||Outgoing Claim Type|
Note: This is optional.
Note: This is optional.
Note: This is only required if you have users signing in from a domain that's not the default domain.
In some organizations, Azure AD as a SAML IdP is used in with Active Directory as the identity store for Tableau Server. In this case,
username is usually the sAMAccountName name. See Microsoft's documentation for identifying the sAMAccountName attribute within Azure AD to map to the
Step 4: Provide Azure AD metadata to Tableau Server
Return to the TSM web UI, and navigate to Configuration > User Identity & Access > Authentication Method tab.
In Step 4 of the SAML configuration pane, enter the location of the XML file you exported from Azure AD, and select Upload.
Complete the remaining steps (matching assertions and specifying client type access) as specified in Configure Server-Wide SAML. Save and apply changes.
Perform the following steps if this isn’t the first time configuring SAML:
Stop Tableau Server, open TSM CLI, and run the following commands.
tsm configuration set -k wgserver.saml.sha256 -v true
tsm authentication saml configure -a 7776000
Apply the changes:
tsm pending-changes apply
If the pending changes require a server restart, the
pending-changes applycommand will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the
--ignore-promptoption, but this does not change the restart behavior. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.
If you’re running Azure AD App Proxy in front of Tableau Server and SAML is enabled, then you’ll need to make an additional configuration to Azure AD App Proxy.
Tableau Server can only accept traffic from one URL when SAML is enabled. However, by default, Azure AD App Proxy sets an external URL and an internal URL.
You must set both of these values to the same URL in your custom domain. For more information, see the Microsoft documentation, Configure custom domains with Azure AD Application Proxy(Link opens in a new window).
Azure AD App Proxy
In some cases, links to views render internally but fail externally when traffic is crossing an Azure AD App Proxy. The issue arises when there’s a pound sign (#) in the URL and users are accessing the link with a browser. The Tableau Mobile app is able to access URLs with a pound sign.
User session timeouts appear to be ignored
When Tableau Server is configured for SAML, users might experience sign in errors because the IdP maximum authentication age setting is set to a value greater than Tableau's maximum authentication age setting. To resolve this issue, you can use the tsm configuration set option
wgserver.saml.forceauthn to require the IdP to reauthenticate the user each time Tableau redirects the authentication request, even if the IdP session for the user is still active.
For example, when the Azure AD setting
maxInactiveTime is greater than Tableau Server's setting
maxAuthenticationAge, Tableau redirects the authentication request to the IdP who subsequently sends Tableau an assertion that the user is already authenticated. However, because the user was authenticated outside of Tableau Server's
maxAuthenticationAge, Tableau rejects the user authentication. In cases like this, you can do one or both of the following:
- Enable the
wgserver.saml.forceauthnoption to require the IdP to reauthenticate the user every time Tableau redirects the authentication request. For more information, see wgserver.saml.forceauthn.
- Increase Tableau Server’s
maxAuthenticationAgesetting. For more information, see “a, --max-auth-age <max-auth-age>” in the tsm authentication topic.
When reviewing the vizportal.log file, you might see "The intended audience doesn’t match the recipient" error.
To resolve this issue, ensure the appID matches what is sent. Azure will automatically append "SPN" to the appID when using the application ID with the app that is being used. You can change the value in the Tableau SAML settings by adding "SPN:" prefix to the application ID.
For example: SPN:myazureappid1234