Example to add more clarity on question 1.
Item #1 – Site specific SAML authentication issue (mixed authentication)
Server is configured as ‘Site-specific SAML authentication only’ with two sites, SSOTesting and Site2.
SSOTesting is configured as a Single sign-on with SAML.
Site2 is configured as server default authentication which is local authentication.
User ‘gunas’ is a publisher in SSOTesting site and enabled with SAML authentication.
When user gunas access the server URL from user’s laptop, link will direct to the Screen 1 prompting to enter user name again. Once you enter the user name it will navigate to the Screen 2 without requesting for a password.
What we expected with above configuration was that server URL will skip Screen 1 and will directly prompt the Screen 2 as in server wide SAML authentication. Is this the expected behaviour for site specific SAML with mixed authentication mode?
when you configure Tableau Server site-specific SAML you will be first prompted to give your user ID directly in Tableau Server authentication fenster. Then there are 2 cases :
- you are a Local/AD user and then Tableau Server will open the Password field to authenticate you (if SSO is activate, this authentication will happend automaticaly without the credential step)
- you are a SAML user and you will be redirected to the authentication fenster of your IdP that will realize the authentication and give Tableau Server a Feedback about this process : User is authenticated. Then Tableau Server control permissions and give your user the Access to what he is prompted to.
If you configure TS "Server+Site" SAML you will configure a "main" IdP that control the Access to the Server and allow SAML user to be part of several sites and site specific IdP that will allow users for one site only.
I hope it will help you with this issue.
Now I allow me to ask you a question back : which IdP did you use to configure your Tableau Server Site specific and did you Change something in the metadata when you switched from Server-wide SAML to site specific SAML? My Point here is that I am using OneLogin as IdP and it worked for the Server-wide configuration but when I Change it to site-specific, I am not able to Login anymore with my SAML user (Local user works fine).
I have no idea why and no one can tell me if this configuration (TS site-specific SAML with OneLogin) was already implemented with success somewhere...
Thank you in advance.