2 Replies Latest reply on Aug 23, 2017 2:03 AM by Sylvain Cogné

    site-specific SAML authentication issues

    Samantha Gunasekara

      When we configure our Tableau 10.1.4 server as ‘site-specific SAML authentication only’, it prompts for username (IDP gets SAML request only after we enter username). Is this the expected behaviour when you have mixed authentication?

       

      With server wide SAML configuration, once you enter the Tableau server URL it will directly take you to the site.

       

      Any help would be much appreciated.

       

      Thanks

      Samantha

        • 1. Re: site-specific SAML authentication issues
          Samantha Gunasekara

           

          Example to add more clarity on question 1.

           

          Item #1 – Site specific SAML authentication issue (mixed authentication)

           

          Server configuration

          serverconf.jpg

           

          Example:

          Server is configured as ‘Site-specific SAML authentication only’ with two sites, SSOTesting and Site2.

          SSOTesting is configured as a Single sign-on with SAML.

          Site2 is configured as server default authentication which is local authentication.

           

          User ‘gunas’ is a publisher in SSOTesting site and enabled with SAML authentication.

           

          When user gunas access the server URL from user’s laptop, link will direct to the Screen 1 prompting to enter user name again. Once you enter the user name it will navigate to the Screen 2 without requesting for a password.

           

          What we expected with above configuration was that server URL will skip Screen 1 and will directly prompt the Screen 2 as in server wide SAML authentication. Is this the expected behaviour for site specific SAML with mixed authentication mode?

           

          Screen 1

          signin.jpg

           

          Screen 2

          site.jpg

           

          • 2. Re: site-specific SAML authentication issues
            Sylvain Cogné

            Hello Samantha,

             

            when you configure Tableau Server site-specific SAML you will be first prompted to give your user ID directly in Tableau Server authentication fenster. Then there are 2 cases :

             

            - you are a Local/AD user and then Tableau Server will open the Password field to authenticate you (if SSO is activate, this authentication will happend automaticaly without the credential step)

             

            - you are a SAML user and you will be redirected to the authentication fenster of your IdP that will realize the authentication and give Tableau Server a Feedback about this process : User is authenticated. Then Tableau Server control permissions and give your user the Access to what he is prompted to.

             

            If you configure TS "Server+Site" SAML you will configure a "main" IdP that control the Access to the Server and allow SAML user to be part of several sites and site specific IdP that will allow users for one site only.

             

            I hope it will help you with this issue.

             

            Now I allow me to ask you a question back : which IdP did you use to configure your Tableau Server Site specific and did you Change something in the metadata when you switched from Server-wide SAML to site specific SAML? My Point here is that I am using OneLogin as IdP and it worked for the Server-wide configuration but when I Change it to site-specific, I am not able to Login anymore with my SAML user (Local user works fine).

             

            I have no idea why and no one can tell me if this configuration (TS site-specific SAML with OneLogin) was already implemented with success somewhere...

             

            Thank you in advance.

             

            BR

            Sylvain