SCIM


System for Cross-domain Identity Management (SCIM) is a protocol that standardizes the automation of users and groups provisioning for integration with cloud-based identity providers (IdPs), such as Microsoft Entra ID and Okta.

Beginning in version 2025.3, Tableau Server supports SCIM, which enables identity providers (IdPs) to centrally manage user identities while streamlining the process of managing users and groups membership in Tableau Server. The IdP uses SCIM to manage a user's lifecycle in Tableau and Tableau Server is kept in sync with the provisioning assignments in the IdP. This type of integration improves security and reduces the manual work for server administrators in Tableau Server.

The SCIM capability on Tableau Server is designed to work at the site-level and support site-specific SAML authentication. When site-specific SAML authentication is configured, users provisioned to the site through SCIM will be set up with site-specific SAML authentication.

Configure SCIM integration with Tableau Server

Step 1: Perform prerequisites

Before enabling SCIM integration with Tableau Server, you’ll need to meet the following requirements:

  • Have server administrator access to Tableau Server.
  • Able to modify your IdP's SCIM settings for Tableau Server.
  • Have SAML authentication enabled and configured for the site. For more information, see, Configure Site-Specific SAML.
  • Optionally, if using external token generation and management, you have created and enabled a Tableau connected app. If you haven't done this, see Use Tableau Connected Apps for Application Integration.

Note: Because of the Tableau Server firewall, you might need to set up an on-premises connector in your identity provider (IdP) for the SCIM capability to work. For example, in Okta you will need to set up on-premises provisioning (OPP(Link opens in a new window)). In Microsoft Entra ID, you will need to set up a provisioning agent(Link opens in a new window).

Step 2: Configure site-level SCIM

The procedure described in this section requires that site-specific SAML authentication is configured.

You have the option to use a Tableau-generated SCIM token. Alternatively, you can bypass the SCIM token that Tableau generates and instead use an externally generated JWT (using a Tableau connected app) to support SCIM requests.

Enable SCIM - using a Tableau-generated token

  1. Sign in to Tableau Server as a server administrator.

  2. Navigate to the site and click Settings.

  3. Under System for Cross-domain Identity Management (SCIM) heading, select the Enable SCIM checkbox. This populates the Base URL and New Secret button.

  4. Do the following:

    1. Copy the Base URL to use in your IdP's SCIM settings.

    2. Click the New Secret button.

    3. Copy the secret and store it in a safe location so that you can use in your IdP's SCIM settings.

      Important: The secret token is displayed only immediately after it is generated. If you lose it before you can apply it to your IdP, you can click New Secret again.

    4. Click the Save button at the top or bottom of the Settings page.

  5. After enabling SCIM in Tableau Server, use the steps in your IdP's documentation to enable SCIM support with your identity provider (IdP).

Enable SCIM - using an external token

To use an external token, you must 1) enable the external token capability for SCIM and 2) enable SCIM.

Step 1: Turn on external token

  1. Open a command prompt as an server administrator on the initial node (where TSM is installed) in the cluster.

  2. Run the following commands:

    1. tsm configuration set -k features.JWTSupportForSCIM -v true

    2. tsm pending-changes apply

      For more information, see features.JWTSupportForSCIM.

Step 2: Enable SCIM

  1. Sign in to Tableau Server as a server administrator.

  2. Navigate to the site and click Settings.

  3. Under System for Cross-domain Identity Management (SCIM) heading, select the Enable SCIM checkbox. This populates the Base URL and New Secret button.

  4. Do the following:

    1. Copy the Base URL to use in your IdP's SCIM settings.

    2. Ignore the New Secret button.

    3. Click the Save button at the top or bottom of the Settings page.

  5. After enabling SCIM in Tableau Server, use the steps in your IdP's documentation to enable SCIM support with your identity provider (IdP).

Step 3: Provision users and groups

Follow your IdP’s documentation to provision users and groups after enabling SCIM support on the site.

Back to top
Thanks for your feedback!Your feedback has been successfully submitted. Thank you!