5 Replies Latest reply on Sep 7, 2018 8:53 AM by Carisa Chang

    OneLogin SAML assertion - does it authenticate the user for the embedded viz?

    Albert van Niekerk

      I am trying to build an app that uses the OneLogin API to provide a seamless integration with their Tableau data. Data is displayed in an embedded Tableau view (hosted on Tableau Online, hence the SAML).

      • I have successfully added the Tableau app in OneLogin.
      • I have also setup the SAML authentication - working
      • App can get a token and assertion via API from OneLogin

      My understanding is that the SAML assertion is supposed to authenticate the user whose details were sent as part of the assertion, however, after receiving the assertion and redirecting to the view with the embedded Tableau viz, the user is prompted to log in.
      This kind of defeats the purpose of the assertion...

      Am I missing (misusing) the purpose of the assertion?
      Should the assertion be added to the session?
      How can I authenticate the user once without having them providing credentials for all over again?
      Should the assertion be added to the embedded viz?

      I have read most if not all the SAML related developer docs of both Tableau and OneLogin.
      There is no clear spec, as far as I know, stating how this should be done, or if it can be done.

        • 1. Re: OneLogin SAML assertion - does it authenticate the user for the embedded viz?
          Carisa Chang

          Hi Albert,

           

          I think you are saying your app authenticates a user with OneLogin, and then requests a view from Tableau Online, at which point the user is prompted for their username?

           

          If that is the case, once they input their username, the view will load without further prompts, because Tableau Online will have their username and confirm with OneLogin that they are signed in. Until Tableau Online knows who the user is, though, it won't know they've been authenticated.

           

          Have you set the default authentication type for embedded views?

          Enable SAML Authentication on a Site

          • 2. Re: OneLogin SAML assertion - does it authenticate the user for the embedded viz?
            Albert van Niekerk

            What I am saying is that the app authenticates the user via OneLogin using SAML so that it crates a seamless integration and flow.

            Once the user has been authenticated, they should not need to log in again to view their dashboards.

            The flow is quite simple:

            Prompt user to log in on home/index screen - all other routes are guarded, no auth, no access

            Validate user against OneLogin user base (which mirrors Tableau users)

            Log the user in via OneLogin screen.

            If authentication is successful, receive SAML assertion

            Once logged in and asserted, allow them access to dashboard screen

            User should now see embedded views - they should not be prompted to log in as they have already been authenticated!

             

            Yes, I have set default authentication to OneLogin and have also allowed/enabled login via embedded iFrame.

            Reading similar posts, I am not the first one to attempt this.

            Seems like most people are having issues regarding this.

            • 3. Re: OneLogin SAML assertion - does it authenticate the user for the embedded viz?
              Carisa Chang

              I think what you're running into, is that there isn't a way to provide the username to Tableau in the embed code, so Tableau will have to ask for the user's username in order to see that they are logged into OneLogin. If the user is already logged into Tableau in another tab in the same browser, before loading your page, do they see the prompt?

              • 4. Re: OneLogin SAML assertion - does it authenticate the user for the embedded viz?
                Albert van Niekerk

                "If the user is already logged into Tableau in another tab in the same browser, before loading your page, do they see the prompt?"

                If there already is an active session, in another tab - no.

                If IdP (OneLogin) is set to be the default authentication then the IdP sets the session/token as authenticated and all apps connected to that user should then be able to “see” that the user is authenticated and authorised to use the apps.

                For Tableau server they suggest using OIDC, for which there are a few examples and I got that working with a locally self hosted Tableau server, OIDC is not available for Tableau online.

                For Tableau online they suggest SAML, for which  I cannot get decent examples of how to consume/use the assertion once I have received it.

                • 5. Re: OneLogin SAML assertion - does it authenticate the user for the embedded viz?
                  Carisa Chang

                  Hi Albert,

                   

                  Have you also selected the option to use inline frames for auth?

                   

                  For Tableau Online, or for Tableau Server configured to use Site-Specific SAML:

                  Ensure the below two options are properly configured under Settings > Authentication:

                  1. Set the Default authentication type for embedded views to SAML.
                  2. Under Embedding options, select Authenticate using an inline frame (less secure; not supported by all IdPs).

                  For more information, see Configure SAML for a site.