Configuring SAML for Tableau Server with OneLogin

For a while now, I have been trying to find a guiding document to describe how Tableau Server on Windows can be configured for SAML with OneLogin/ Okta, etc.

Tableau supports SAML with OneLogin

While Tableau cannot officially list these steps, due to dependence on 3rd party applications, I found this Interworks article extremely helpful while setting up. However, the article is now a bit outdated, leading to a few sleepless nights spent in configuring the Server correctly. I am hoping the piece below helps to bridge the gap.

1. We first proceed to install the Tableau Server with local authentication selected. Make sure that you have created an administrator user in the Tableau Server, and authenticate yourself successfully to ensure that things are working smoothly before proceeding.

2. Post the installation, stop the Tableau Server. Now would be a good time to revisit the SAML requirements.

3. A key and certificate pair now needs to be generated for setting up SAML. To achieve this, Tableau Server has already installed the necessary pre-requisites. Follow the below steps one by one -

  • Open the Command Prompt as an Administrator and run the following command –
set OPENSSL_CONF=c:\Program Files\Tableau\Tableau Server\<version>\apache\conf\openssl.cnf
  • Navigate to the Apache bin directory for Tableau Server –
cd C:\Program Files\Tableau\Tableau Server\<version>\apache\bin
  • Create the key file –
openssl.exe genrsa -out <yourcertname>.key 4096
  • Create the csr file –
openssl.exe req -new -key <yourcertname>.key -out <yourcertname>.csr
  • Create the crt file –
openssl x509 -req -days 365 -in <yourcertname>.csr -signkey <yourcertname>.key -out <yourcertname>.crt

4. Having generated all the necessary files, we then proceed to create a folder named SAML (C:\Program Files\Tableau\Tableau Server\SAML), and place the above 3 created files in this directory.

5. Proceed to log into the Administrator console of your OneLogin account, and add a new Application by navigating to Apps -> Company Apps

6. Click on Add Apps, and search for ‘Tableau Server (Signed Response)’

Hurdle #1 : Choose the correct Application

7. Now comes the configuration piece. Configure the app as follows -

  • Enter a Display name and a thumbnail (optional), and Save the app.
Info tab
  • In the Info tab, ensure that the details are similar to what has been entered above.
  • In the Configuration tab, enter the details as seen below (note the lack of trailing slashes) –
Configuration tab (Hurdle #2: Enter without any trailing slashes)
  • In the Parameters tab, ensure that Username field has a value of Username. This implies that it is taking the value directly from the user’s details as stored in OneLogin
Hurdle #3: Correctly define the SAML assertion
  • The tab should finally look like this –
Parameters tab
  • All other fields remain as-is. Click on Save.
  • Re-enter the app and export the SAML metadata by clicking on ‘More Actions’. Save this file to the SAML folder in Tableau Server that was created in step 4
Export the SAML Metadata from OneLogin

8. Navigate to the Users tab, and select the administrator user that has been added to Tableau Server already –

Search for the administrator user

9. Configure the above user as follows –

  • In the User Info tab, ensure that the user has a username that matches their Tableau Server username.
  • In the Applications tab, add the created application to the user –
Add the newly created application
  • Ensure that the Username tab is filled (this is grabbed from the user info page due to the way that the app is configured), and that the user is allowed to sign in –
Hurdle #4: Ensuring correct SAML assertion

10. With that, the OneLogin configuration is complete! Now open the Configure Tableau Server window, and fill in the highlighted fields (please note once again that there are no trailing slashes in the return URL or entity ID) –

Final Configure Tableau Server window

11. Now start the Tableau Server and try to access the Tableau Server directly or from the OneLogin application portal. If you try to access the Server directly, you should be redirected to OneLogin to authenticate first.

Some useful points that I learned -

  • In case of errors, the best means to troubleshoot the SAML error is by visiting the vizportal-#.log that can be found at C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizportal.
  • Ensure that the maximum session age setting on OneLogin matches the wgserver.saml.maxauthenticationage setting on Tableau Server. The default setting on Tableau Server is 7200 seconds or 2 hours.
  • Mozilla Firefox has a neat extension to trace the SAML response being sent from OneLogin to Tableau Server for further troubleshooting. It can be downloaded from here.