Interested in playing with Tableau Server and SAML? Awesome! Now, go find an IdP.
Don’t have access to one you say? Don’t want to stand one up? Don’t know how to?
Then…no soup for you, kid.
Until now.
As a late Festivus present, allow me to present a walk-through that will help you get your head around Tableau and SAML. We’re going to leverage a public IdP that will cost you zero dollars to leverage.
You’re welcome.
This gift isn’t perfect however. Tableau Server’s SAML Requirements help topic says the following around IdP-to-Tableau username mapping:
Matching usernames: Tableau Server usernames and the usernames stored in the IdP must match. For example, if the username for Jane Smith is stored in PingFederate as jsmith, it must also be stored in Tableau Server as jsmith. Also, if you are configuring SAML as part of Tableau Server Setup, part of Setup is creating the Tableau Server administrator account. Before you run Setup, make sure that the account you plan to use exists in your IdP.
….and our free IdP isn’t actually configured to return a username attribute on successful authentication. Ouch.
As a result, we’ll do something which may feel a wee bit unusual to you while we’re testing. More on that later.
Also, I’m assuming that your Tableau Server is accessible via the Internet since that is where our “free” IdP lives.
Now, follow me!
Start with Tableau
- Review Tableau Server help topics on SAML: http://onlinehelp.tableausoftware.com/current/server/en-us/saml.htm. They’re not huge – invest 10 minutes, please.
- Create a user on your Tableau Server with an email address as the username. Obviously, you should have access to this email account yourself.
- Complete steps 1-5 from the SAML Configuration topic in Tableau Server Help http://onlinehelp.tableausoftware.com/current/server/en-us/config_saml.htm
Next, let’s play with an IdP:
- Jump out to https://idp.ssocircle.com/sso/UI/Login and click New User.
- Register for a new account, making sure the Email Address that you specify is the same one you are leveraging as your username in Tableau. The email address you enter MUST match an existing username in Tableau Server. Also, don’t forget to respond to the registration email that SSOCircle will send you.
- Click Manage Metadata in the left-hand navigation bar and then choose to Add New Service Provider.
- Enter the following information in the Service Provider Metadata import form:
- The fully qualified domain name of your Tableau Server
- Choose to return the EmailAddress attribute. This is important because it is the mechanism that will communicate who the SSOCircle-authenticated user is back to Tableau Server
- When you worked on Tableau Server earlier, you generated an XML metadata file. Copy the text of that file into the Insert your metadata information box.
- After you save your changes, click Manage Metadata in the left-hand navigation bar.
- Copy the information presented into notepad, and save the file with an XML file extension. This is your IdP metadata file.
Flip back to Tableau Server, and continue working through the configuration guide:
- Knock out steps 8-10 in the configuration guide.
Now, the Kung-Fu begins.
Recall that SSOCircle doesn’t return the Username attribute that Tableau is looking for. We’re being sneaky and causing the “username” (actually an email address) to be returned by SSOCircle via its optional EmailAddress attribute.
We need to tell Tableau Server that the “username” can be found in the EmailAddress attribute using TabAdmin:
tabadmin set wgserver.saml.idpattribute.username EmailAddress
Bounce Tableau, and you should be all set. Here’s your login in the browser:
…which drops you into the Tableau webapp:
Here I am logging into Tableau via Desktop:
…and the same prompts inside the iPad:
Done! Have fun!