SSO, MFA, SAML and Tableau Server
SSO: Single Sign-On; MFA: Multi-factor Authentication;
SAML: Security Assertions Markup Language
External KB articles:
The following two links provide guidelines to set up SAML/SSO/MFA for Tableau Server:
SAML: https://help.tableau.com/current/server/en-us/saml.htm
Azure: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/tableauserver-tutorial
DataSelf SaaS Complementary Notes for Azure AD
Adding MFA to a new Tableau SaaS Site
Azure portal: https://portal.azure.com/
Log with Azure admin user, Azure Active Directory
Add SaaS Site to Azure Active Directory and invite users’ emails.
Enterprise Applications
+ New Application
Search Tableau Server, select it, Rename it to “Tableau Server SiteName”
Add
Set up single sign-on, click Single sign-on
Drop down to SAML-based Sign-on
Sign on URL: https://dataselfbi.com
Identifier (Entity ID): log to SaaS site, go to Settings, Authentication, Enable an additional authentication method, Edit Connection, copy content from “DataSelf Analytics entity ID” and paste into this box.
Reply URL: from the SaaS site, copy “Assertion Consumer Service URL (ACS)” and paste into this box.
User identifier: user.userprincipalname
Check “View and edit all other user attributes”
Click “Add attribute”
Name box: username
Value: user.userprincipalname (If the client cannot log into Tableau, you may have to change this to user.mail or user.othermail)
Ok
Save
Download “Metadata XML”
From SaaS Site – Authentication – Edit:
Section 4, click Browse, select XML and click Apply
Section 5, username
Section 6: leave Authenticate in a separate pop-up window
Last section: Default authentication: microsoftonline.com (SAML)
Create a Policy Name for each client organization:
Back to Azure Active Directory
Conditional Access
+ New Policy
Name it such as SaaS ClientName
Cloud apps -> Include -> Select apps -> Select -> click Microsoft Azure Management and Tableau Server SiteName -> Select -> Done
Grant: be sure Grant access, Require multi-factor authentication, Require one of the selected controls have been saved
Be sure the settings above are saved before you leave this page (click Save button).
Proceed to add users as described in the prior page.
Adding Users to a New SaaS Site that already has SAML on Azure
Azure portal: https://portal.azure.com/
Log with Azure admin user, Azure Active Directory
Invite users’ emails to join our Azure Active Directory.
Enterprise Applications
Select Tableau Server SiteName
Click Users and Groups
+ Add user
Users and groups
Enter email of a new user (ex.: davew@lucasoil.com)
Invite
Repeat iii and iv for adding more users.
Select
Assign
Steps 2 and 3 are for MFA and the user with need a Azure AD Premium license. If MFA is not needed for this user go to step 4.
Adding MFA to each individual user:
Back to Azure Active Directory
Conditional Access
Click the Policy Name associated to this client (ex.: SaaS ClientName)
Users and Groups -> Include -> Select users and groups -> Users and Groups > Select -> Select added users > Select > Done
Conditions: Leave it as is to force always authentication. To secure trusted IPs, you’ll need to create Named locations shows on Optional MFA features below. Then go to: Sign-in risk -> Yes -> High -> Select. Locations -> Yes -> All trusted locations -> Done -> Done. Save.
Be sure the settings above are saved before you leave this page (click Save button).
Optional MFA features: Back to “Home - dataself.com - Conditional access – Policies” section:
If trusted IPs are required: Click Named locations -> + New location -> Name it, select IP ranges -> check Mark as trusted location -> enter IP ranges as of 170.25.45.21/x (where x is the range, 1 for one IP only) – Create. This named location is to be used in step Conditions above.
To change other MFA settings such as days before a device must re-authenticate: select Named locations -> Configure MFA trusted IPs.
Add Users’ emails to their SaaS Site
Log to their SaaS Site -> Users, + Add User, select Add users for microsoftonline.com (SAML); Username = email address (ex.: davew@lucasoil.com), the rest is the same as adding regular users.
Users’ first access:
Users will receive an invitation to join Azure. If they don’t have their emails associated to Azure already, they just have to accept the invitation and add a password.
This will land them on an Azure portal that will have Tableau Server to logon. Click on it, or go directly to https://dataselfbi.com
Enter email and it’ll land on their SaaS site.
Related Pages
Security Details – Technical pages on a variety of security methods.
Security Related Pages
- GI (Generic Inquiry) Deployment - DataSelf Analytics for Acumatica
- Embed DataSelf in Acumatica via Site Map
- Embed DataSelf in Acumatica Dashboard Widgets
- Acumatica User Rights for DataSelf
- Acumatica Rights by Role for Generic Inquiries(GI's)
- Encrypted Standard Strings & PowerShell
- Script File Security
- DataSelf Analytics Data Security and Privacy