5 Replies Latest reply on Mar 1, 2017 2:53 AM by Garry Sollis

    SAML authentication Tableau Online and Azure AD

    Garry Sollis

      Hi

       

      I am very new to Tableau and to SAML SSO so please forgive my ignorance . I have experimenting with SAML on Tableau Online and Azure Active Directory. I think I have successfully configured SAML using the instructions in the online help.  I am seeing what I call unexpected behavior though.

       

      When logging in using a session initiated at the Tableau Login screen (SP initiated) the following happens:

      • I enter the user name for a SAML enabled user which is configured in Tableau Online and also exists in my Azure AD. The password field disappears and I click Sign On
      • I get redirected to the IdP at Azure AD, but the user name is not entered in the username field on that page.
      • I manually enter the username from above, enter the password and log on to the IDP
      • I get redirected to the Tableau Online content

       

      When logging on using a session initiated at Azure (https://account.activedirectory.windowsazure.com/ , IdP initiated), I get the following:

      • I enter the user name for a SAML enabled user which is configured in Tableau Online and also exists in my Azure AD
      • I enter the password and log on to the IDP
      • I get a screen presenting my Apps and click on Tableau Online
      • A new browser tab is opened and it goes to the Tableau Online login screen, with no username or password entered in the fields.
      • I manually enter the username as I did in the IdP, the password field disappears.
      • I click the Sign In button and get redirected to the Tableau Online content

       

      This seems like too many steps involved. I expect the following:

      • in the first scenario that the username is passed from Tableau to the IdP, that it is already present in the IdP login screen and only the password needs to be entered
      • in the second scenario that I do not need to enter the username in the Tableau Online login screen, but that SAML logs me in automatically and the content is shown

       

      I have seen this behavior in several browsers and computers (Windows Internet Explorer, Safari Mac and Chrome Mac).

      The SAML connection test login seems to recognize all claims and assertions correctly.

       

      Do I need to change something in my configuration, or is this behavior By Design?

       

      Garry Sollis

        • 1. Re: SAML authentication Tableau Online and Azure AD
          Patrick A Van Der Hyde

          Hello Garry  -

           

          Are you sure the Single Sign-on with SAML is enabled on the Tableau Online site - see the instructions here:  Configure SAML with Azure Active Directory  

           

          Patrick

           

           

          Please mark my answer correct if this resolved the issue or mark it helpful below if it me

          1 of 2 people found this helpful
          • 2. Re: SAML authentication Tableau Online and Azure AD
            Garry Sollis

            Hi Patrick

            thanks for replying. Yes, SSO via SAML is configured on both sides, so in Azure as well as in Tableau. I reviewed the documentation from Tableau as well as documentation from Azure. Funny thing is, both documents are subtly different as far as which attributes to use. The Tableau version works as described above, the Azure version does not.

            Garry

            • 3. Re: SAML authentication Tableau Online and Azure AD
              Dustin McIntyre

              Hi Garry,

               

              +1 to Patrick's comment - the instructions that we provide are more complete to produce the desired behavior.

               

              Since Azure AD is a 3rd party application, we can't verify the accuracy of their documentation. It looks like their guide for configuring Tableau Online is not specific enough, whereas you should review our help document and look for the section title:

               

                   "Add Tableau Online to your Azure AD applications"

                   Configure SAML with Azure Active Directory

               

              I'll work from our end to recommend a change to their documentation, so others can benefit from our findings here

              1 of 1 people found this helpful
              • 4. Re: SAML authentication Tableau Online and Azure AD
                sarah.hegeman

                Scenario 1 with SP-initiated: Expected Behaviour

                We have no mechanism for passing the username from Online to the IDP to prefill the fields. We need the username in the first place to look up whether that user needs an idp redirect, but we cannot then pass that username to the idp, so you'll have to enter it twice, I'm afraid.

                 

                Scenario 2 with IDP-initiated: Unexpected Behaviour

                This is actually indicative that saml authentication likely failed. I recommend opening a case with Tableau Support and be sure to provide your Tableau Online site name, username, and the log file you can download from the Authentication page in the UI on Step 7: Troubleshooting single sign-on (SSO)

                1 of 1 people found this helpful
                • 5. Re: SAML authentication Tableau Online and Azure AD
                  Garry Sollis

                  Thank you for replying. Unfortunately my trial online is over, so I cannot log in using the same account anymore. As I'm contracting for my customer I'll ask how they want to proceed.

                   

                  One thing to note though, I checked the status of the SAML assertions using the Log File option from the SAML config page in Tableau Online and it stated it recognised the username, first name and last name correctly.

                  I used what is described in Step 7, paragraph "Unable to authenticate users when using single sign-on" to download the log file. It just shows a popup, but all seemed well there, even though I had to manually enter the username before getting the content.

                   

                  If I try with a new trial using a new account, what do I need to check specifically here, apart from that SAML recognises the attributes of the account? Thanks