Okta apps and Tableau
Here is what I learned when testing out Tableau Online SAML with Okta
Last updated
Here is what I learned when testing out Tableau Online SAML with Okta
Last updated
The testing focuses on the integrations between Tableau Online and Okta for SAML authentication. This is the core SAML authentication functionality to get a user securely logged on, not advanced configuration or user provisioning.
There are two published apps in the Okta Integration Network (OIN). One for Tableau Online (TOL) and the other for Tableau Server. They have a different SAML feature set which you need to be aware of. The Okta Tableau Online application supports the following three SAML features; and it is not just authentication the TOL app provides but also it has SCIM for user provisioning.
SP-initiated SSO
IdP-initiated SSO
SP-Initiated Single Logout (SLO)
SCIM user provisioning
The Tableau Server Okta App supports the same features apart from SCIM. Also note neither apps support IdP-initiated SLO.
Sign up for an Okta Developer Tenant. The tenant is permanent and will allow you to test out all the features you need:
I don't want to duplicate setup instructions here as Okta and Tableau docs do a good job. To be honest I found the Okta instructions better than the Tableau Online ones as they had screenshots. However the Okta Tableau Server ones look out of date.
Okta Setup Resources: How to Configure SAML 2.0 for Tableau Online How to Configure SAML 2.0 for Tableau Server -> this has out of date screenshots - pre-TSM Tableau Setup Resources: Configure SAML with Okta - Tableau Online SAML - Tableau Server general SAML guidance
The key setup configuration items for SAML are described below, I tested TOL but have included some information such as the Return URL and Certificates which are only required by a Tableau Server deployment. Surprisingly, Okta does not require (or support) the uploading of the Service Provider Metadata to complete the configuration using metadata exchange, so you have to input details manually.
Product
Configuration
Description
Tableau Online and Server
SAML entity ID
The entity ID uniquely identifies your Tableau Server installation to the IdP. It represents a system entity in metadata, which is a SAML service, such as an IdP or an SP as you could have multiple listed in the metadata. The value of the entityID attribute SHOULD be the canonical URL of the entity's metadata document. If you plan to enable site-specific SAML later, this URL also serves as the base for each site’s unique ID.
An example from TOL: entityID=" https://sso.online.tableau.com/public/sp/metadata?alias=4b728bd1-df88-xxxx-xxxx-xxxxxxxxxxxx"An example from Server: entityID="https://tableau-server"
Tableau Online
Assertion Consumer Service (ACS) URL
Tableau Online
IdP Metadata XML file
SAML metadata is configuration data required to automatically negotiate agreements between system entities, comprising identifiers, binding support and endpoints, certificates, keys, cryptographic capabilities and security and privacy policies. You will download this from the Okta portal.
Tableau Server
Return URL
The URL that Tableau Server users will access, such as https://tableau-server. Using https://localhost or a URL with a trailing slash http://tableau_server/ is not supported.
Tableau Server
SAML Certificate and key files
One thing to be aware of is that by default Tableau Server currently uses SHA-1 signature algorithm. Many IdP's will have SHA256 as standard. You can also change to SHA256 by running the following TSM command: tsm configuration set -k wgserver.saml.sha256 -v true
After completing any configuration I usually go through and write validation tests to confirm the setup is working as expected. This was how I found the lack of support for SLO mentioned above. Here are the tests I completed as a starting point.
Test
Actions
Result
Tableau Sign in with SAML user
Add username and select Sign In Redirect to Okta to insert password Redirected in to TOL
Success
Okta Sign in with SAML user
Sign in to Okta with credentials. Click on Tableau Online and enter portal
Success
Sign in with MFA
MFA enforced by Okta policy
Success
Sign out from Okta
Select sign out from app in Okta
Failed: Expected to fail as IdP-initiated SLO not supported
Sign out from Tableau
Go to Tableau user profile Select Sign out
Success
Sign in with Local user from Tableau
Go to Tableau sign in, login with local user
Success: login and no redirection to Okta
It is simple to get up and running with Tableau and Okta using the provided apps from Okta for both Tableau Online and Server. The key point to understand are the features provided by each app. The Tableau Online app provides support for SCIM user and group provisioning. The Tableau Server app purely delivers SAML authentication (no SCIM), neither apps support IdP-Initiated SLO.
Lifecycle Management is a grand title for the process to manage the accounts that access your services. A simple way to think of it is the Joiners, Movers and Leavers in your organization. We will narrow the focus down to how you provision users and groups into Tableau.
Okta's Tableau Server application does not support provisioning, only authentication. So to provision users and groups to the server we need to look at another method to do that. Okta's Universal Directory has an LDAP interface which means this can be connected to as a Tableau External Identity Store.
The article above is great as it shows how to sync from Active Directory as well. There are steps that describe how you can deploy the Okta AD agent to synchronize users between Okta and Active Directory. These users and groups that originated in AD are now in the Okta Universal Directory, and can then be imported into Tableau using the Okta LDAP interface to bind with Tableau, just as you would with any LDAP service.
The Okta app for Tableau Online supports SCIM User provisioning. As mentioned above the Okta TOL app has provisioning built into it.
The main features it supports are:
Create, Update and Deactivate
Group Push and Group Linking
There are instructions on the configuration in our Help docs for both Okta and OneLogin.
There are a number of considerations listed in our docs. I have included two constraints that could impact provisioning:
Important: The secret token is displayed only immediately after it is generated. If you lose it before you can apply it to your IdP, you can select Generate New Secret. In addition, the secret token is tied to the Tableau Online user account of the site administrator who enables SCIM support. If that user’s site role changes or the user is removed from the site, the secret token becomes invalid, and another site administrator must generate a new secret token and apply it to your IdP.
Not all Tableau features are supported with the app:
Use of SCIM with Grant License on Sign In is unsupported and may result in incorrectly provisioned site roles for users or groups.
Please read all the documentation.
When configuring the app you have three options Create, Update and Deactivate.
Despite what the screenshot shows this isn't the full story there are limitations in the way it works.
Matching Users
The Okta TOL app is designed to create or link users in TOL when assigning the app to a user in Okta. I wanted to test out the link part of it as well as create!
When enabling the provisioning of my chosen AD group I intentionally picked a group that already had a user enabled in TOL (Ahmed Kroner). After the assignment of the AD group it reported a couple of errors. These were related to a new user from AD not in TOL (Alona Marr) and a Okta user that was not part of the provisioned AD group (John Thompson).
Login successful with Ahmed - showed that the account was linked.
Alona I had to remove the AD group and assign it a second time to the app for the user to be provisioned.
Service Providers support SSO protocols by including one or more endpoint elements in their metadata. These are the locations to which the IdP will eventually send the user at the SP. By enumerating them in the metadata, the IdP can ensure that the user's information is sent only to authorized locations. An example from TOL: Location=""
Tableau Server requires a certificate-key pair to encrypt the traffic, sign the request that is sent to the IdP and encrypt assertions. There are listed which are specific so need to be followed carefully.
