Integrate Tableau Online

Tableau is a cloud-based data visualization software used for data science and business intelligence (see https://www.tableau.com/). You can protect access to Tableau Online by integrating Tableau with Identity as a Service. Once integrated, users can use single sign-on to log in to their Tableau Online account through Identity as a Service.

Note: This integration was tested using Identity as a Service version 5.13 and Tableau Server 2020.4.0 (20204.20.1210.1658 64-bit Linux. Other versions of Tableau Online may require integration and configuration steps that differ from those documented in this procedure. For other versions of Tableau Online, this integration guide may be used as an initial approach for integrating Tableau Online. In the event of other issues, contact support@entrust.com for assistance.

To integrate Tableau Online with Identity as a Service, you must do the following:

Step 1: Download the Identity Provider metadata file

1. Log in to the Tableau Online administrator portal. The Tableau Home page appears.

2. In the menu pane, click Settings. The General page appears.

3. Click the Authentication tab. The Authentication page appears.

4. Under SAML, click Edit Connection. The Export metadata from Tableau Online options appear.

5. Click Export metadata to download the metadata XML file.

Step 2: Add Tableau Online to Identity as a Service

Add Tableau as an application to Identity as a Service

1. Log into your Identity as a Service administrator account.

2. Click > Security > Applications. The Applications Lists page appears.

3. Click Add. The Select an Application Template page appears.

4. Do one of the following:

● Select SAML Cloud Integrations from the search drop-down list and scroll to find the application you want to add to IDaaS.

- or -

● In the Search bar, enter a search option to filter for the application you want to add to IDaaS.

5. Click Tableau. The Add Tableau page appears.

6. Enter an Application Name.

7. Enter an Application Description.

8. Optional. Add a custom application logo.

a. Click next to Application Logo. The Upload Logo dialog box appears.

b. Click to select an image file to upload.

c. Browse to select your file and click Open. The Upload Logo dialog box reappears showing your selected image.

d. If required, resize your image.

e. Click OK.

9. Select the Authentication Flow that appears to users during login.

10. Click Next. The General page appears.

11. Click to the Upload Metadata XML and browse to the location of the metadata file you downloaded in Step 1: Download the Identity Provider metadata file. The Metadata Configuration dialog box appears.

a. If required, click Merge with existing values to merge new values with existing values for Alternative Assertion Consumer Services URLs and SAML attribute names.

b. Click Save.

The Assertion Consumer Service URL and Service Provider Entity ID (Issuer) fields are populated with the information from the metadata file.

12. Optional. Enter the SAML Username Parameter Name used to identity the user ID being requested for authentication. The user ID can then be passed as a parameter, for example, Username=jdoe. Alternately, if the SAML username is NameID, the SAML Request XML NameID element value is used to the identify the IDaaS userID.

13. Enter the SAML Session Timeout to the time when the SAML Assertion times out. The maximum is 720 minutes.

14. Enter the Max Authentication Age (seconds) to set the maximum amount of time that can elapse before a user is required to reauthenticate during a new login attempt. This applies for both SP-initiated and IDP-initiated login. Set this field to -1 to disable this feature.

15. From the SAML NameID Attribute drop-down list, select Email.

16. From the SAML NameID Encoding Format drop-down list, select Email.

17. From the SAML Signing Certificate drop-down list, select the signing certificate.

18. From the SAML Signature Algorithm drop-down list, select SHA256.

19. Select Sign Complete SAML Response.

20. Deselect Enable Go Back Button if you do not want users to be able to go back to the Tableau Online login page to log in.

21. Select Show Default Assertion Consumer URL Service in the My Profile. When selected, the Default Assertion Consumer URL appears in a user's My Profile page in addition to relay states and Alternative Assertion Consumer URLs.

22. Select Encryption SAML Assertion.

23. Optional. Add Alternative Assertion Consumer Service URLs, as follows:

a. Click Add.

b. Enter a Name.

c. Enter a URL Value.

d. Select Show in My Profile to display the Alternative Consumer Service URL in a user's My profile page.

e. Optional. Add an Application Logo.

f. Click Add.

g. Repeat these steps to add more Alternative Assertion Consumer Service URLs.

24. Click Submit.

Step 3: Add a resource rule

Step 4: Download the metadata file from Identity as a Service

Download the Metadata file from Identity as a Service

1. In Identity as a Service, click > Security > Applications. The Applications List page appears.

2. Do one of the following:

● Click next to the application you are integrating with Identity as a Service.

–or–

● Click next to the application you are integrating with Identity as a Service and select SAML IDP Metadata.

The SAML Application Metadata dialog box appears.

3. Select the certificate to include in the SAML IDP Metadata file from the drop-down list.

4. If applicable, Select the domain to include in the SAML IDP Metadata file from the drop-down list.

5. Enter the Lifetime, in days, for the SAML IDP Metadata file. The value must be between 2 and 730.

6. Do one of the following, as required:

a. Copy the Public Endpoint to paste into your SAML application being used Identity Provider authentication.

b. Click Download.

Note: If you are using multiple domains, you must download each domain's metadata file separately because the values in the metadata file vary for each domain.

Step 5: Configure Tableau for Identity as a Service authentication

1. Log in to the Tableau Online administrator portal. The Tableau Home page appears.

2. In the menu pane, click Settings. The General page appears.

3. Click the Authentication tab. The Authentication page appears.

4. Under SAML, click Edit Connection.

5. Scroll to Import metadata file into Tableau Online.

6. Click Choose a file and then browse to select the metadata file that you downloaded in Step 4: Download the metadata file from Identity as a Service and then click OK.

7. Under Import metadata file into Tableau Online, click Apply.

Step 6: Optional. Declare users as SAML users

To declare a user as a SAML user, the user email must match the email attribute of the user in Identity as Service. You can do this in a few ways, as follows:

1. Log in to the Tableau Online administrator portal. The Tableau Home page appears.

2. In the menu pane, click Users. The Site Users page appears.

3. From the Add Users drop-down list, select Add Users by Email. The Add Users dialog box appears.

4. Select Add users for (SAML) authentication.

5. In the Enter email addresses in the text box, add the user's email address. The email address must match the email address in the user's profile in Identity as a Service.

6. To add multiple users, separate each entry with a semi-colon.

7. From the Site role drop-down list, select Explorer (can publish).

8. Click Add users. The user's email address appears on the Site Users page.

1. Log in to Identity as a Service as an administrator and export a CSV file that includes only the Email user attribute for users you want to declare as SAML users on Tableau. (see View, search, and export user list).

2. Log in to the Tableau Online administrator portal. The Tableau Home page appears.

3. In the menu pane, click Settings. The General page appears.

4. Click the Authentication tab. The Authentication page appears.

5. Scroll to Manage Users.

6. From the Manage Users drop-down list, select Import from a file. The Import from a file dialog box appears.

7. Select Add users for (SAML) authentication.

8. Select Choose a file and browse to select the CSV file that you exported from Identity as a Service in step 1.

9. Click Import Users.

10. The users are added to the Site Users page. To view this page, in the menu pane, click Users.

Step 7: Test the integration

Testing Service Provider Login

1. Open a Web browser and enter the URL for your Tableau Online account. You are directed to Identity as a Service

2. Enter your Tableau Online account User ID and click Password and then click OK. The Tableau Home page appears.

3. In the menu pane, click Users. The Site Users page appears.

4. Under Actions, click ... and select Authentication from the drop-down list. The Authentication dialog box appears.

5. Select SAML and then click Update.

This update allows SAML redirection so that when the user logs in to Identity as a Service using their email address that matches the email address in Tableau, the user is redirected to the Tableau Home page. You must first complete the optional Step 6: Declare users as SAML users.

6. Respond to the second-factor authentication challenge. If you respond successfully, you are logged in to Tableau.

Testing Identity as a Service redirect log in

1. Log in to your Identity as a Service account.

2. Go to your My Profile page if you are not already there.

3. Under Applications, click Tableau. You are redirected to the Tableau Home page.