3 Replies Latest reply on Apr 14, 2017 1:26 AM by lenaic.ridinger

SAML Single Logout - Supported by Site Specific SAML with Local Authentication?

Zachary Parrott Apr 5, 2017 12:34 PM

We currently have a locally hosted Tableau server running v10.2. We have an internal SAML 2.0 IdP that has been configured within Tableau using Site Specific SAML with Local Authentication.

During login Tableau correctly hands off the authentication to the IdP which authenticates the user and creates the user's session in Tableau. The problem is when clicking sign out in Tableau it redirects to a Tableau logout page and there is never a SAML request sent to the IdP. The session within Tableau is correctly destroyed but the session with the IdP remains. In the site specific SAML configuration in Tableau it notes that the IdP supports Single Logout under the IdP metadata import section. I also verified that the POST binding for Single Logout is present in the IdP metadata that was imported into Tableau.

When I change Tableau's configuration to use Site Wide SAML authentication the Single Logout works as I would expect and correctly sends the request to the IdP when clicking Sign Out. Is SAML Single Logout not supported in Site Specific SAML with Local Authentication?

I read through a lot of documentation and forum posts with no luck in finding any specifics. Has anyone ran into such a scenario?

Thanks.

1. Re: SAML Single Logout - Supported by Site Specific SAML with Local Authentication?

lenaic.ridinger Apr 13, 2017 11:42 AM (in response to Zachary Parrott)

Hi Zachary Parrott,

(Edited for clarity) According to Robin Cottiss:

Your Idp needs to support SLO and would need to advertise that fact in it's metadata. A lot of Idp's do not support SLO, or do it in a way that does not match Tableau's expectation.

Are you able to configure Siteminder for SLO? Also - be careful with what you mean by SLO - many customers don't really want SLO they want Tableau Sign Out but to leave the Idp session alive. That can be tricky to set up.

----------
Lénaïc RIÉDINGER, Global Community Engineer Tableau
Tableau Community Forums | Knowledge Base
If you see a Helpful or Correct response, please mark it thanks to the buttons below the targeted post!
Like Show 0 Likes(0)

Actions
2. Re: SAML Single Logout - Supported by Site Specific SAML with Local Authentication?

Zachary Parrott Apr 13, 2017 6:56 AM (in response to lenaic.ridinger)

Hi Lénaïc,

I did read the forum post you are referencing (I do not see a Sign Out option with SAML enabled on Tableau Server 9.3 ) but it does not provide the information I am looking for. To clarify, I am actually looking for true Single Logout where both sessions are invalidated.

Like I said in the original post, our IdP does support Single Logout and it is defined in the metadata. Single Logout works as expected when Tableau server is set to Server-Wide SAML Authentication. It does not work when Tableau server is configured with Site Specific SAML with Local Authentication. I just want to know if Tableau supports Single Logout for Site Specific SAML with Local Authentication.

Thanks,
Zach Parrott
Like Show 0 Likes(0)

Actions
3. Re: SAML Single Logout - Supported by Site Specific SAML with Local Authentication?

lenaic.ridinger Apr 14, 2017 1:26 AM (in response to Zachary Parrott)

Indeed, it was a possible answer from Robin (thanks!)
I do not see a Sign Out option with SAML enabled on Tableau Server 9.3

I'm sad to learn it didn't help.
I've raised this thread, hopefully one of the experts on our forums can help you better than I did..!

Robin Cottiss
Like Show 0 Likes(0)

Actions

Go to original post