With Simple Setup, SAML Streamlines Tableau Online Security

Multiple applications hosted on multiple systems usually results in one thing: many separate user accounts each with its own password. For the IT guy responsible for security, this presents a big problem. For one, how do you administer new users and remove old ones, maintain a common security policy, and handle all of those forgotten-email requests?

Editor’s Note: Tableau Online is now Tableau Cloud.

Note: The following is a guest post by Tableau Zen Master Craig Bloodworth of The Information Lab.

Today's IT systems are in the cloud. Indeed, some companies, The Information Lab included, start up with no internal hardware other than end-user laptops. For us, the cloud provides the home for our email, CRM, filestore, and, of course, our Tableau Servers. Some of these are installed on virtual machines or dedicated servers while others are hosted applications such as Tableau Online. Multiple applications hosted on multiple systems usually result in one thing: many separate user accounts, each with its own password. For the IT guy responsible for security, this presents a big problem. For one, how do you administer new users and remove old ones, maintain a common security policy, and handle all of those forgotten-email requests? Over the past few years, one solution has stood out as the de-facto standard for enterprise-grade security in the cloud, and that, of course, is SAML. SAML, or Security Assertion Markup Language, is a method for offloading the authentication piece of an application, or service provider, onto a centralised and controlled authentication server, or identity provider. For a standard application, you can split the method of login into two processes. First you have authentication, which covers the checking of a username against a given password, followed by permissioning, which takes that validated username and checks whether it should allow the requested resource. It's the authentication piece that SAML offloads to the identity provider. A Tableau-compatible SAML identity provider (IdP) is simple enough to set up and takes just a few clicks. The only requirement is that it uses the SAML 2.0 protocol. Microsoft Active Directory can be configured against an IdP using Active Directory Federated Services 2.0 (I have a blog post on a simple setup procedure), with other compatible systems including, but not limited to, Shibboleth and OneLogin. OneLogin is an interesting IdP as it is itself in the cloud but can integrate with directory services such as Active Directory, LDAP, Workday, and even Google Apps. It can also function as its own local directory service. Once your IdP is in place, simply follow the Tableau Server admin guide to complete the configuration. Finally, whether you’re using SAML now or not, it’s a good idea to try to use cloud services that enable SAML. Once you’ve got a few cloud services, you may want to adopt a single sign-on solution.