One of the best new features of Tableau 8.1 is SAML integration.
SAML is an open source web-based authentication standard that uses XML to authenticate users. In Tableau, SAML can be used as an alternative to trusted tickets, so you will still need to create the users on Tableau Server prior to login. SAML, however, also works inside the Desktop version of Tableau by opening an iframe to the login service (unlike trusted tickets).
How Does SAML Work in Tableau?
SAML works by passing XML containing user information and certificates back and forth between Tableau and the Identity Provider (IdP).
The Identity Provider can be an authentication service that you setup or a paid-service that is a more “out of the box” solution.
Using POST requests, base64 encoded XML is passed between Tableau Server and your Identity Provider to authenticate the user’s credentials.
If you ever need to debug SAML, you can capture these requests with various POST capturing browser plugins and base64 decode the string.
Configuring SAML in Tableau
To configure SAML, you will need to create a self-signed certificate and key. These can be generated for free from a number of sources, including OpenSSL.
The Tableau return URL is simply the URL of your server and the entity ID can be anything you’d like to describe your Tableau usage. I used “interworks” for my setup.
The certificate files need to be stored in a location the Tableau service can use, such as the Tableau directory, but not inside the version specific directory, as they would be lost in upgrades (i.e. TableauTableau ServerSAML NOT TableauTableau Server8.1SAML).
Tableau requires a few settings that will need to be setup with the Identity Provider:
- Tableau requires POST binding
- The Identity Provider Response must contain the “username” attribute (the actual name of this can be changed with the Tableau setting “wgserver.saml.idpattribute.username” if needed).
Once the information is provided about your Tableau Server, Tableau will be able to generate a metadata file that you can provide to your Identity Provider. This is used to validate your request on the Identity Provider. The Identity Provider will be able to provide you with a similar metadata file to install in Tableau.
SAML can be configured after the server is setup without a full uninstall, so you can tweak the settings throughout the process to debug any authentication problems. Tableau can call for SAML usage in a variety of scenarios. If an existing SAML System is in place, or simply a need to tie into a non-LDAP system, SAML may be a good solution.
Since SAML can be completely customizable, it also allows the ability to tie together multiple systems, including Social Providers (Facebook, Twitter, etc.) through a OAuth pathway on the SAML login screen.