For pre-TSM versions (2018.1 or below), please see the guide here.
For a while now, I have been trying to find a guiding document to describe how Tableau Server on Windows can be configured for SAML with OneLogin/ Okta, etc.
While Tableau cannot officially list these steps, due to dependence on 3rd party applications, I found this Interworks article extremely helpful while setting up. However, the article is now a bit outdated, leading to a few sleepless nights spent in configuring the Server correctly. I am hoping the piece below helps to bridge the gap.
1. We first proceed to install the Tableau Server with local authentication selected. Make sure that you have created an administrator user in the Tableau Server, and authenticate yourself successfully to ensure that things are working smoothly before proceeding.
2. Once the installation is successful, revisit the SAML requirements to ensure that you have all the pre-requisites ready.
3. A key and certificate pair now needs to be generated for setting up SAML. To achieve this, Tableau Server has already installed the necessary pre-requisites. Follow the below steps one by one -
- Open the Command Prompt as an Administrator and run the following command –
set OPENSSL_CONF=c:\Program Files\Tableau\Tableau Server\<version>\apache\conf\openssl.cnf
- Navigate to the Apache bin directory for Tableau Server –
cd C:\Program Files\Tableau\Tableau Server\<version>\apache\bin
- Create the key file –
openssl.exe genrsa -out <yourcertname>.key 4096
- Create the csr file –
openssl.exe req -new -key <yourcertname>.key -out <yourcertname>.csr
- Create the crt file –
openssl x509 -req -days 365 -in <yourcertname>.csr -signkey <yourcertname>.key -out <yourcertname>.crt
4. Having generated all the necessary files, we then proceed to create a folder named SAML (C:\Program Files\Tableau\Tableau Server\SAML), and place the above 3 created files in this directory.
5. Proceed to log into the Administrator console of your OneLogin account, and add a new Application by navigating to Apps -> Company Apps
6. Click on Add Apps, and search for ‘Tableau Server (Signed Response)’
7. Now comes the configuration piece. Configure the app as follows -
- Enter a Display name and a thumbnail (optional), and Save the app.
- In the Info tab, ensure that the details are similar to what has been entered above.
- In the Configuration tab, enter the details as seen below (note the lack of trailing slashes) –
- In the Parameters tab, ensure that Username field has a value of Username. This implies that it is taking the value directly from the user’s details as stored in OneLogin
- The tab should finally look like this –
- All other fields remain as-is. Click on Save.
- Re-enter the app and export the SAML metadata by clicking on ‘More Actions’. Save this file to the SAML folder in Tableau Server that was created in step 4
8. Navigate to the Users tab, and select the administrator user that has been added to Tableau Server already –
9. Configure the above user as follows –
- In the User Info tab, ensure that the user has a username that matches their Tableau Server username.
- In the Applications tab, add the created application to the user –
- Ensure that the Username tab is filled (this is grabbed from the user info page due to the way that the app is configured), and that the user is allowed to sign in –
10. With that, the OneLogin configuration is complete! Now open the TSM window (https://server-name:8850), and navigate to Configuration -> User Identity & Access -> Authentication Method. Fill in the highlighted fields (please note once again that there are no trailing slashes in the return URL or entity ID) –
11. Now ‘Apply Pending Changes’ and restart the Tableau Server and try to access the Tableau Server directly or from the OneLogin application portal. If you try to access the Server directly, you should be redirected to OneLogin to authenticate first.
Some useful points that I learned -
- In case of errors, the best means to troubleshoot the SAML error is by visiting the vizportal-#.log that can be found at C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizportal.
- Ensure that the maximum session age setting on OneLogin matches the wgserver.saml.maxauthenticationage setting on Tableau Server. The default setting on Tableau Server is 7200 seconds or 2 hours.
- Mozilla Firefox has a neat extension to trace the SAML response being sent from OneLogin to Tableau Server for further troubleshooting. It can be downloaded from here.