This post is part of our series covering tips, tricks, and ideas in Tableau Online, our cloud collaboration and sharing platform.
If you’re a site administrator, choosing the best authentication method for your organization requires you balance competing priorities:
Never fear, SAML is here. Or more precisely, Active Directory Federation Services (ADFS) leveraging SAML is here.
ADFS allows cloud-based services to employ Active Directory (AD) single sign-on (SSO), which is a common service used for authentication behind company firewalls. ADFS does this by integrating with SAML, which is an authentication standard currently available in Tableau Online.
A word to the wise: We’re about to dive deep into the bowels of your Tableau Online account. Now’s the time to pull out your site administrator credentials and fire up your Active Directory admin account.
Here’s what our authentication flow will look like. (Note that, in this example, the Identity Provider (IdP) is ADFS. However, Tableau Online also integrates with other SAML IdP providers like OneLogin and Okta. These services also have methods for federating user authentication to AD.)
Authentication in this setup is performed by Active Directory, which is also used for many local authentication tasks. Once set up with Tableau Online, your end-users will use their regular AD credentials to log in to Tableau Online—the same credentials they use to log into their desktop computers.
It’s a win-win situation. There’s no need for users to remember yet another password. And your IT team won’t need to manage an additional set of user credentials. Plus you can sleep soundly knowing your AD user credentials already comply with corporate policies.
Isn’t it great making everyone happy?
You’ll need an Active Directory Server with ADFS 2.0 installed (in this post I use Windows Server 2008 with ADFS 2.0). Your ADFS Server also needs to be exposed outside your company firewall. We recommend doing so in a secure manner (e.g. utilizing a reverse proxy). Exposing your ADFS Server allows Tableau Online to seamlessly redirect users to the login page hosted by ADFS—outlined in step #2 in the diagram above.
First you’ll need to setup Tableau Online to use SAML. The configuration is done on the Authentication page, under the Settings tab:
Next you’ll set up ADFS to play nicely with Tableau Online.
Whew! Take a break and get yourself a cup of tea (I live in England, after all). You’ve made it this far. You deserve it. And you’re almost finished!
There’s just one last bit of configuration to do within Tableau Online.
Pat yourself on the back. You’ve made it to the finish line! Your site is now ready to authenticate via ADFS leveraging SAML. Your users will still navigate to https://online.tableau.com to sign in. But now, after entering their email address, the page will automatically redirect through ADFS and ask users for their AD username and password. Here's what it will look like: