3 Replies Latest reply on Apr 25, 2018 12:53 AM by Darcy Smith

    SAML Authentication: SingleLogoutService (does support / does not support) ?!?

    Darcy Smith

      Hi there,

       

      We are attempting to integrate our product with Tableau 10.5.2 using SSO SAML 2.0, and have successfully created a Single Sign On flow. Allowing both a IdP initiated and SP initiated flows and all is well. However, I do not seem to be able to successfully configure Single Sign Out.

       

      Current setup

      The Tableau instance is configured to use Site-specific SAML Authentication Only within the Configure Tableau server side application. Within the browser, logging into the correct site, selecting Settings -> Authentication gives me the SAML configuration settings. I have uploaded my IdP metadata (custom .NET application) and it gives me a success message and also indicates that "IdP is configured to support SAML single logout (SLO). See below:

       

      saml-config.png

       

      The relevant lines in my metadata file is as follows:

       

      ...

      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.fft.local/account/logout"/>

      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.fft.local/account/logout"/>

      ...

       

      So far all seems good. I can use IdP or SP initiated process to login to Tableau but selecting the Logout within Tableau doesn't seem to even attempt a HTTP Post or Redirect towards my IdP. Tableau just gives the "Successfully logged out of Tableau page as below:

       

      saml-logout.png

       

      What puzzles me more though is, I have noticed that when I navigate to https://[tableau_server_name]/samlservice/public, I get the following page:

       

      samlservice-public.png

      Notice the "This IdP does not support Single Logout" ?

       

      Why is this? Is there anything specific I am missing when it comes to Single Sign Out in terms of extra configuration or commands needed to be run on the server?

       

      Anyone else encountered this problem?

       

      Cheers

      Darcy