SSO:  Single Sign-On;  MFA: Multi-factor Authentication;
SAML: Security Assertions Markup Language

External KB articles:

The following two links provide guidelines to set up SAML/SSO/MFA for Tableau Server:

SAMLhttps://help.tableau.com/current/server/en-us/saml.htm

Azurehttps://docs.microsoft.com/en-us/azure/active-directory/saas-apps/tableauserver-tutorial

Google Cloudhttps://support.google.com/cloudidentity/answer/6359317?hl=en#zippy=%2Cstep-get-google-identity-provider-idp-information%2Cstep-set-up-tableau-as-a-saml-service-provider-sp%2Cstep-finish-sso-configuration-in-admin-console%2Cstep-enable-the-tableau-app%2Cstep-verify-that-the-sso-is-working

DataSelf SaaS Complementary Notes for Azure AD

Adding MFA to a new Tableau SaaS Site

Azure portal: https://portal.azure.com/

Log with Azure admin user, Azure Active Directory

  1. Add SaaS Site to Azure Active Directory and invite users’ emails.
    1. Enterprise Applications
    2. + New Application
    3. Search Tableau Server, select it, Rename it to “Tableau Server SiteName”
    4. Add
    5. Set up single sign-on, click Single sign-on
      1. Drop down to SAML-based Sign-on
      2. Sign on URL: https://dataselfbi.com
      3. Identifier (Entity ID): log to SaaS site, go to Settings, Authentication, Enable an additional authentication method, Edit Connection, copy content from “DataSelf Analytics entity ID” and paste into this box.
      4. Reply URL: from the SaaS site, copy “Assertion Consumer Service URL (ACS)” and paste into this box.
      5. User identifier: user.userprincipalname 
      6. Check “View and edit all other user attributes”
      7. Click “Add attribute”
      8. Name box: username
      9. Value: user.userprincipalname (If the client cannot log into Tableau, you may have to change this to user.mail or user.othermail)
      10. Ok
      11. Save
      12. Download “Metadata XML”
      13. From SaaS Site – Authentication – Edit:
        1. Section 4, click Browse, select XML and click Apply
        2. Section 5, username
        3. Section 6: leave Authenticate in a separate pop-up window
        4. Last section: Default authentication: microsoftonline.com (SAML)
  2. Create a Policy Name for each client organization:
    1. Back to Azure Active Directory
    2. Conditional Access
    3. + New Policy
    4. Name it such as SaaS ClientName
    5. Cloud apps -> Include -> Select apps -> Select -> click Microsoft Azure Management and Tableau Server SiteName -> Select -> Done
    6. Grant: be sure Grant access, Require multi-factor authentication, Require one of the selected controls have been saved
    7. Be sure the settings above are saved before you leave this page (click Save button).

Proceed to add users as described in the prior page.

Adding Users to a New SaaS Site that already has SAML on Azure

Azure portal: https://portal.azure.com/

Log with Azure admin user, Azure Active Directory

  1. Invite users’ emails to join our Azure Active Directory.
    1. Enterprise Applications
    2. Select Tableau Server SiteName
    3. Click Users and Groups
      1. + Add user
      2. Users and groups
      3. Enter email of a new user (ex.: davew@lucasoil.com)
      4. Invite
      5. Repeat iii and iv for adding more users.
      6. Select
      7. Assign
      8. Steps 2 and 3 are for MFA and the user with need a Azure AD Premium license. If MFA is not needed for this user go to step 4.
  2. Adding MFA to each individual user:
    1. Back to Azure Active Directory
    2. Conditional Access
    3. Click the Policy Name associated to this client (ex.: SaaS ClientName)
    4. Users and Groups -> Include -> Select users and groups -> Users and Groups > Select -> Select added users > Select > Done
    5. Conditions: Leave it as is to force always authentication. To secure trusted IPs, you’ll need to create Named locations shows on Optional MFA features below. Then go to: Sign-in risk -> Yes -> High -> Select. Locations -> Yes -> All trusted locations -> Done -> Done. Save.
    6. Be sure the settings above are saved before you leave this page (click Save button).
  3. Optional MFA features: Back to “Home - dataself.com - Conditional access – Policies” section:
    1. If trusted IPs are required: Click Named locations -> + New location -> Name it, select IP ranges -> check Mark as trusted location -> enter IP ranges as of 170.25.45.21/x (where x is the range, 1 for one IP only) – Create. This named location is to be used in step Conditions above.
    2. To change other MFA settings such as days before a device must re-authenticate: select Named locations -> Configure MFA trusted IPs.
  4. Add Users’ emails to their SaaS Site
    1. Log to their SaaS Site -> Users, + Add User, select Add users for microsoftonline.com (SAML); Username = email address (ex.: davew@lucasoil.com), the rest is the same as adding regular users.
  5. Users’ first access:
    1. Users will receive an invitation to join Azure. If they don’t have their emails associated to Azure already, they just have to accept the invitation and add a password.
    2. This will land them on an Azure portal that will have Tableau Server to logon. Click on it, or go directly to https://dataselfbi.com
    3. Enter email and it’ll land on their SaaS site.

Related Pages


Security Related Pages