1 Reply Latest reply on Feb 11, 2012 10:55 AM by Loïc Grange

    Tableau Server in a SAML SSO environment

      We're currently researching options on how best to provide access to Tableau content via various delivery channels (Web, Desktop, Mobile) in an environment that uses SAML for SSO.  The environment includes a SAML Identity Provider (IdP) that's the authoritative user repository, and ideally we'd set Tableau Server up as a SAML Service Provider (SP) against that IdP.  Since Tableau's primary support for SSO is via trusted authentication, it seems that what we'll really need to do is set up an HTTP server that acts as both a SAML SP and a trusted authentication peer for Tableau.  Then sessions would look something like:


      1. User points browser, Desktop, or Mobile at URL of HTTP server acting as SAML SP.
      2. SAML SP redirects user to SAML IdP to authenticate.
      3. SAML IdP redirects user back to SAML SP with authentication results and original request proceeds.
      4. SAML SP tells Tableau Trusted Authentication that the user has authenticated successfully.
      5. Trusted Authentication issues the user a trust ticket.
      6. User is able to access (authorized) Tableau views/content.


      First question: Does this look right?  If not, could you help me understand what changes are needed to reflect reality.


      Second question: Is anyone already doing this today?  If so, any lessons learned you'd like to share?


      Third question: Does traffic for Tableau Desktop and Tableau Mobile occur over HTTP so that this would work properly?  In particular, Will iPad users just see the IdP's login screen and, assuming valid authentication, everything will just work?  If not, what are the alternatives for implementing SSO for those clients?


      Thanks in advance!!!

        • 1. Re: Tableau Server in a SAML SSO environment
          Loïc Grange

          This is correct. A lot of customers to use Trusted Ticketing which is a way to have the authentication itself happen with an internal or external portal and simply use tableau to display the viz this user has access to. Note that the user needs to exist in Tableau Server even if TS doesn't authenticate it.


          All done with HTTP or HTTP(s). If you use a browser on any device it will work. The browser in question might not be supported (it needs to behave nicely with JavaScript for instance). Tableau only officially support Firefox, Safari, Chrome and IE (greater than 6.5). Note also that for the client browser, the cookie issued by TS is considered a third party cookie (as the primary webserver is actually your portal webserver not Tableau Server one). In the browser security/privacy settings, Authorize Third Party cookies need to be activated for Trusted Ticketing to work.