Configure SAML with Okta


If you use Okta as your SAML identity provider (IdP), you can use the information in this topic to set up SAML authentication for Tableau Cloud or Tableau Cloud Manager (TCM). You can also use the How to Configure SAML 2.0 for Tableau Cloud(Link opens in a new window) topic in the Okta documentation.

Tableau Cloud’s SAML integration with Okta supports service provider (SP)-initiated SSO, identity provider (IdP)-initiated SSO, and single logout (SLO).

Notes: 

  • These steps reflect a third-party application and are subject to change without our knowledge. If the steps described here do not match the screens you see in your IdP account, you can use the general SAML configuration steps, along with the IdP’s documentation.
  • Beginning February 2022, multi-factor authentication (MFA) through your SAML SSO identity provider (IdP) is a Tableau requirement.
  • The configuration steps in the IdP may be in a different order than what you see in Tableau.

Step 1: Get started

In Tableau Cloud, do the following:

  1. Sign in to your Tableau Cloud site as a site administrator, and select Settings > Authentication.

  2. On the Authentication tab, click the New Configuration button, select SAML from the Authentication drop-down, and then enter a name for the configuration.

    Screen shot of Tableau Cloud site authentication settings -- new configuration page

    Note: Configurations created before November 2024 (Tableau 2024.3) can't be renamed.

Alternatively, in TCM, do the following:

  1. Sign in to TCM as a cloud administrator, and select Settings > Authentication.

  2. Select the Enable an additional authentication method check box, and select SAML from the Authentication drop-down.

  3. Click the Configuration (required) drop-down arrow.

In the Okta administrator console, do the following: 

Note: For TCM, you use the "Tableau Cloud application" in the IdP to configure TCM authentication.

  1. Open a new browser tab or window and sign in to your Okta administrator console.

  2. From the left pane, select Applications > Applications and click the Browse App Catalog button.

  3. Search for and click "Tableau Cloud" and then click the Add Integration button. This opens the General Settings tab.

  4. (Optional) If you have more than one Tableau Cloud site, edit the site name in the Application label field to help you differentiate between your Tableau Cloud application instances.

  5. Navigate to the Sign On tab, click Edit, and do the following:

    1. Under Metadata details, copy the Metadata URL.

    2. Paste the URL into a new browser and save the results as a file using the default "metadata.xml".

Step 2: Configure SAML in Tableau Cloud or TCM

Complete the following procedure after you save the SAML metadata file from Okta, as described in the section above.

For Tableau Cloud

  1. Back in Tableau Cloud, on the New Configuration page, under 2. Upload metadata to Tableau, click the Choose a file button and navigate to the SAML metadata file you saved from Okta. This automatically fills the IdP entity ID and SSO Service URL values.

  2. Map the attribute names (assertions) under 3. Map attributes to the corresponding attribute names (assertions) in the Okta administrator console's Tableau Cloud User Profile Mappings page.

  3. Under 4. Choose default for embedding views (optional), select the experience you want to enable when users access embedded content. For more information, see the About enabling iFrame embedding section below.

  4. Click the Save and Continue button.

For TCM

  1. Back in TCM, on the Authentication page, under 2. Upload metadata to Tableau, click the Choose a file button and navigate to the SAML metadata file you saved from Okta. This automatically fills the IdP entity ID and SSO Service URL values.

  2. Map the attribute names (assertions) under 3. Map attributes to the corresponding attribute names (assertions) in the Okta administrator console's Tableau Cloud User Profile Mappings page.

  3. Click the Save and Continue button.

Step 3. Configure "Tableau Cloud application" in your IdP

For Tableau Cloud, the procedure in this section will use the information from 5. Get Tableau Cloud Metadata, under Method 2: Copy metadata and download certificate on the New Configuration page in Tableau Cloud. For TCM, the procedure in this section will use the information from 4. Get Tableau Cloud Metadata, under Method 2: Copy metadata and download certificate on the Authenticaiton page in TCM.

Note: For TCM, you use the "Tableau Cloud application" in the IdP to configure TCM authentication.

  1. In the Okta administrator console, click the Assignments tab to add your users or groups.

  2. When finished, click Done.

  3. Click the Sign On tab and in the Settings section, click Edit.

  4. (Optional) If you want to enable single logout (SLO), do the following:

    1. Select the Enable Single Logout check box.

    2. Copy the "Single Logout URL" value from the Tableau Cloud metadata file. For example, <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://xxxx/public/sp/SLO/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"/>. For more information, see the Configure Single Logout Using SAML with Okta(Link opens in a new window) in the Tableau Knowledge Base.

    3. In the Advanced Sign-on Settings text box, enter the value you copied in step b.

    4. Next to Signature Certificate, click the Browse button and navigate to the certificate file you downloaded in the section above.

    5. Select the file and click the Upload button.

    6. When finished, click Save.

  5. Select Applications > Applications, click the Tableau Cloud application, select the Sign On tab, and do the following:

    1. Click Edit.

    2. Under Advanced Sign-on Settings, for the Tableau Cloud entity ID text box in the Okta administrator console, paste the Tableau Cloud entity ID value from Tableau Cloud or TCM.

    3. For the Tableau Cloud ACS URL text box in the Okta administrator console, paste the Tableau Cloud ACS URL value from Tableau Cloud or TCM.

    Note: The Tableau Cloud and TCM SAML configuration settings appear in a different order than on the Okta settings page. To prevent SAML authentication issues, make sure that the Tableau Cloud entity ID and Tableau Cloud ACS URL are entered into the correct fields in Okta.

  6. When finished, click Save.

Step 4: Test the SAML configuration

In Okta, do the following:

  • Add a sample user to Okta and assign them to the "Tableau Cloud application".

In Tableau Cloud or TCM, do the following:

  1. Add that Okta user to Tableau Cloud to test the SAML configuration.

  2. Do one of the following:

    • In Tableau Cloud, on the New Configuration page, under 7. Test Configuration, click the Test Configuration button.

    • In TCM, on the Authentication page, under 6. Test configuration, click the Test Configuration button.

We highly recommend that you test the SAML configuration to avoid any locked out scenarios. Testing the configuration helps ensure that you have configured SAML correctly before changing the authentication type of your users to SAML. To test the configuration successfully, make sure that there is at least one user who you can sign in as who is already provisioned in the IdP and added to your Tableau Cloud or TCM with SAML authentication type configured.

Note: If the connection fails, consider keeping the NameID attribute in Tableau as-is.

Step 5: Add additional users to the SAML-enabled Tableau Cloud site or TCM

If you plan to use SCIM to provision your users from Okta, do not manually add your users to Tableau Cloud. For more information, see Configure Configure SCIM with Okta. If you are not using SCIM, then use the steps below to add additional users to your site. Note: SCIM provisioning is not available for TCM.

The procedure described in this section is performed on the Tableau Cloud's Users page.

  1. After you complete the steps above, from the left pane, navigate to the Users page.

  2. Follow the procedure described in:

About enabling iFrame embedding

Note: Applies to Tableau Cloud only.

When you enable SAML on your site, you need to specify how users sign in to access views embedded in web pages. These steps configure Okta to allow authentication using an inline frame (iFrame) for embedded visualization. Inline frame embedding may provide a more seamless user experience when signing on to view embedded visualizations. For example, if a user is already authenticated with your identity provider and iFrame embedding is enabled, the user would seamlessly authenticate with Tableau Cloud when browsing to pages that contain embedded visualizations.

Caution: IFrame can be vulnerable to a clickjack attack. Clickjacking is a type of attack against web pages in which the attacker tries to lure users into clicking or entering content by displaying the page to attack in a transparent layer over an unrelated page. In the context of Tableau Cloud, an attacker might try to use a clickjack attack to capture user credentials or to get an authenticated user to change settings. For more information about clickjack attacks, see Clickjacking(Link opens in a new window) on the Open Web Application Security Project website.

  1. Sign in to your Okta administrator console.

  2. From the left pane, select Customizations > Other and navigate to the IFrame Embedding section.

  3. Click Edit, select the Allow iFrame embedding check box, and then click Save.

Back to top