SSO, MFA, SAML and Tableau Server
SSO: Single Sign-On; MFA: Multi-factor Authentication;
SAML: Security Assertions Markup Language
External KB articles:
The following two links provide guidelines to set up SAML/SSO/MFA for Tableau Server:
SAML: https://help.tableau.com/current/server/en-us/saml.htm
Azure: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/tableauserver-tutorial
DataSelf SaaS Complementary Notes for Azure AD
Adding MFA to a new Tableau SaaS Site
Azure portal: https://portal.azure.com/
Log with Azure admin user, Azure Active Directory
- Add SaaS Site to Azure Active Directory and invite users’ emails.
- Enterprise Applications
- + New Application
- Search Tableau Server, select it, Rename it to “Tableau Server SiteName”
- Add
- Set up single sign-on, click Single sign-on
- Drop down to SAML-based Sign-on
- Sign on URL: https://dataselfbi.com
- Identifier (Entity ID): log to SaaS site, go to Settings, Authentication, Enable an additional authentication method, Edit Connection, copy content from “DataSelf Analytics entity ID” and paste into this box.
- Reply URL: from the SaaS site, copy “Assertion Consumer Service URL (ACS)” and paste into this box.
- User identifier: user.userprincipalname
- Check “View and edit all other user attributes”
- Click “Add attribute”
- Name box: username
- Value: user.userprincipalname (If the client cannot log into Tableau, you may have to change this to user.mail or user.othermail)
- Ok
- Save
- Download “Metadata XML”
- From SaaS Site – Authentication – Edit:
- Section 4, click Browse, select XML and click Apply
- Section 5, username
- Section 6: leave Authenticate in a separate pop-up window
- Last section: Default authentication: microsoftonline.com (SAML)
- Create a Policy Name for each client organization:
- Back to Azure Active Directory
- Conditional Access
- + New Policy
- Name it such as SaaS ClientName
- Cloud apps -> Include -> Select apps -> Select -> click Microsoft Azure Management and Tableau Server SiteName -> Select -> Done
- Grant: be sure Grant access, Require multi-factor authentication, Require one of the selected controls have been saved
- Be sure the settings above are saved before you leave this page (click Save button).
Proceed to add users as described in the prior page.
Adding Users to a New SaaS Site that already has SAML on Azure
Azure portal: https://portal.azure.com/
Log with Azure admin user, Azure Active Directory
- Invite users’ emails to join our Azure Active Directory.
- Enterprise Applications
- Select Tableau Server SiteName
- Click Users and Groups
- + Add user
- Users and groups
- Enter email of a new user (ex.: davew@lucasoil.com)
- Invite
- Repeat iii and iv for adding more users.
- Select
- Assign
- Steps 2 and 3 are for MFA and the user with need a Azure AD Premium license. If MFA is not needed for this user go to step 4.
- Adding MFA to each individual user:
- Back to Azure Active Directory
- Conditional Access
- Click the Policy Name associated to this client (ex.: SaaS ClientName)
- Users and Groups -> Include -> Select users and groups -> Users and Groups > Select -> Select added users > Select > Done
- Conditions: Leave it as is to force always authentication. To secure trusted IPs, you’ll need to create Named locations shows on Optional MFA features below. Then go to: Sign-in risk -> Yes -> High -> Select. Locations -> Yes -> All trusted locations -> Done -> Done. Save.
- Be sure the settings above are saved before you leave this page (click Save button).
- Optional MFA features: Back to “Home - dataself.com - Conditional access – Policies” section:
- If trusted IPs are required: Click Named locations -> + New location -> Name it, select IP ranges -> check Mark as trusted location -> enter IP ranges as of 170.25.45.21/x (where x is the range, 1 for one IP only) – Create. This named location is to be used in step Conditions above.
- To change other MFA settings such as days before a device must re-authenticate: select Named locations -> Configure MFA trusted IPs.
- Add Users’ emails to their SaaS Site
- Log to their SaaS Site -> Users, + Add User, select Add users for microsoftonline.com (SAML); Username = email address (ex.: davew@lucasoil.com), the rest is the same as adding regular users.
- Users’ first access:
- Users will receive an invitation to join Azure. If they don’t have their emails associated to Azure already, they just have to accept the invitation and add a password.
- This will land them on an Azure portal that will have Tableau Server to logon. Click on it, or go directly to https://dataselfbi.com
- Enter email and it’ll land on their SaaS site.
Related Pages
- Security Details – Technical pages on a variety of security methods.
- Remote Desktop with Static IP security (VPN).
Security Related Pages
- GI (Generic Inquiry) Deployment - DataSelf Analytics for Acumatica
- Embed DataSelf in Acumatica via Site Map
- Embed DataSelf in Acumatica Dashboard Widgets
- Acumatica User Rights for DataSelf
- Acumatica Rights by Role for Generic Inquiries(GI's)
- DRAFT Azure AD SAML Set Up for Tableau
- Password Recommendations
- Entry-Level User and Group Security - Tableau