Copyright 2013 Tableau Software, Incorporated and its licensors. All rights reserved. Patents pending.

Single Sign-On with SAMLWith Tableaus SAML support, you use an external identity provider (IdP) to authenticate Tableau Server users. All user authentication is done outside of Tableau, regardless of whether youre using Active Directory or local authentication in Tableau Server to manage your user accounts. This allows you to provide a single sign-on experience across all the applications in your organization. To configure Tableau Server for SAML, you need the following:

Certificatefile: A PEM-encoded x509 certificate with the extension .crt. Certificatekeyfile: An RSA or DSA key file that is not password protected and has a .key file

extension. IdPaccount: Examples are PingFederate, SiteMinder, and OpenAM. Matchingusernames: Tableau Server usernames and the usernames stored in the IdP must match.

Ensure that the username you plan to use for your Tableau Server administrator account exists in your IdP before you run Setup.

2

Export Metadata from the IdPOn the IdPs website, add your Tableau Server as a connection type for the IdP to authenticate. As part of this, you will import the Tableau metadata .xml file you created in step 2, and confirm that your IdPs settings use username as the attribute element to verify.

Next, export your IdPs metadata .xml file and copy it to the following folder on your Tableau Server:

C:\Program Files\Tableau\Tableau Server\SAML

3 4

1

Use the .xml file

name of your choice.

Test the SAML Sign-OnOn the SAML tab in the Tableau Configuration utility, enter the location to the IdPs file in the SAMLIdPmetadatafile text box. Click OK. Finish Setup, creating an administrator account when prompted.

To test your changes, start a fresh web browser session to Tableau Server. You should note that the Sign On prompt is from your IdP and not Tableau:

Specify the Server and CertificatesRun Server Setup. After you configure your general settings in the Configuration utility, click the SAML tab and select UseSAMLforsinglesign-on:

In the TableauServerreturnURL text box, enter the customer-facing URL for your Tableau Server. Enter this same value for SAMLentityID.

Create a SAML folder under C:\Program Files\Tableau\Tableau Server and copy your .crt and .keyfiles there. Enter that location in the next two fields.

Export Metadata from TableauLeaving the SAMLIdPmetadatafile text box empty, click the ExportMetadataFile button.

In the next dialog box, save the XML file. You will need to provide this file to your IdP in the next step.