Configuring SAML for Tableau Server with OneLogin (TSM)

Madhav Kannan
Jul 30, 2018 · 5 min read

For pre-TSM versions (2018.1 or below), please see the guide here.

For a while now, I have been trying to find a guiding document to describe how Tableau Server on Windows can be configured for SAML with OneLogin/ Okta, etc.

Image for post
Image for post
Configuring SAML on Tableau Server with OneLogin

While Tableau cannot officially list these steps, due to dependence on 3rd party applications, I found this Interworks article extremely helpful while setting up. However, the article is now a bit outdated, leading to a few sleepless nights spent in configuring the Server correctly. I am hoping the piece below helps to bridge the gap.

1. We first proceed to install the Tableau Server with local authentication selected. Make sure that you have created an administrator user in the Tableau Server, and authenticate yourself successfully to ensure that things are working smoothly before proceeding.

2. Once the installation is successful, revisit the SAML requirements to ensure that you have all the pre-requisites ready.

3. A key and certificate pair now needs to be generated for setting up SAML. To achieve this, Tableau Server has already installed the necessary pre-requisites. Follow the below steps one by one -

  • Open the Command Prompt as an Administrator and run the following command –
set OPENSSL_CONF=c:\Program Files\Tableau\Tableau Server\<version>\apache\conf\openssl.cnf
  • Navigate to the Apache bin directory for Tableau Server –
cd C:\Program Files\Tableau\Tableau Server\<version>\apache\bin
  • Create the key file –
openssl.exe genrsa -out <yourcertname>.key 4096
  • Create the csr file –
openssl.exe req -new -key <yourcertname>.key -out <yourcertname>.csr
  • Create the crt file –
openssl x509 -req -days 365 -in <yourcertname>.csr -signkey <yourcertname>.key -out <yourcertname>.crt

4. Having generated all the necessary files, we then proceed to create a folder named SAML (C:\Program Files\Tableau\Tableau Server\SAML), and place the above 3 created files in this directory.

5. Proceed to log into the Administrator console of your OneLogin account, and add a new Application by navigating to Apps -> Company Apps

6. Click on Add Apps, and search for ‘Tableau Server (Signed Response)’

Image for post
Image for post
Hurdle #1 : Choose the correct Application

7. Now comes the configuration piece. Configure the app as follows -

  • Enter a Display name and a thumbnail (optional), and Save the app.
Image for post
Image for post
Info tab
  • In the Info tab, ensure that the details are similar to what has been entered above.
  • In the Configuration tab, enter the details as seen below (note the lack of trailing slashes) –
Image for post
Image for post
Configuration tab (Hurdle #2: Enter without any trailing slashes)
  • In the Parameters tab, ensure that Username field has a value of Username. This implies that it is taking the value directly from the user’s details as stored in OneLogin
Image for post
Image for post
Hurdle #3: Correctly define the SAML assertion
  • The tab should finally look like this –
Image for post
Image for post
Parameters tab
  • All other fields remain as-is. Click on Save.
  • Re-enter the app and export the SAML metadata by clicking on ‘More Actions’. Save this file to the SAML folder in Tableau Server that was created in step 4
Image for post
Image for post
Export the SAML Metadata from OneLogin

8. Navigate to the Users tab, and select the administrator user that has been added to Tableau Server already –

Image for post
Image for post
Search for the administrator user

9. Configure the above user as follows –

  • In the User Info tab, ensure that the user has a username that matches their Tableau Server username.
  • In the Applications tab, add the created application to the user –
Image for post
Image for post
Add the newly created application
  • Ensure that the Username tab is filled (this is grabbed from the user info page due to the way that the app is configured), and that the user is allowed to sign in –
Image for post
Image for post
Hurdle #4: Ensuring correct SAML assertion

10. With that, the OneLogin configuration is complete! Now open the TSM window (https://server-name:8850), and navigate to Configuration -> User Identity & Access -> Authentication Method. Fill in the highlighted fields (please note once again that there are no trailing slashes in the return URL or entity ID) –

Image for post
Image for post
Configuring TSM

11. Now ‘Apply Pending Changes’ and restart the Tableau Server and try to access the Tableau Server directly or from the OneLogin application portal. If you try to access the Server directly, you should be redirected to OneLogin to authenticate first.

Some useful points that I learned -

  • In case of errors, the best means to troubleshoot the SAML error is by visiting the vizportal-#.log that can be found at C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizportal.
  • Ensure that the maximum session age setting on OneLogin matches the wgserver.saml.maxauthenticationage setting on Tableau Server. The default setting on Tableau Server is 7200 seconds or 2 hours.
  • Mozilla Firefox has a neat extension to trace the SAML response being sent from OneLogin to Tableau Server for further troubleshooting. It can be downloaded from here.
Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store