Welcome
# T C 1 8 All about SAML End-to-end Tableau and OKTA integration Abhishek Singh Senior Manager, Regional Delivery Tableau
Abhishek Singh Senior Manager Regional Delivery asingh@tableau.com
Agenda What is SAML? Why SAML? How does SAML work? Options for SAML configuration Demo Troubleshooting Resources
What is SAML?
What is SAML? Security Assertion Markup Language SSO login standard Originally developed in 2001 Last updated in 2005 (SAML 2.0) XML-based Users are authenticated through an external Identity Provider (IdP) Logged in to Tableau Server/Online automatically after logging in to IdP Can be used with Local Authentication or Active directory
Why SAML? Standardized Secure Easy to use IT-friendly
Terminology Client User attempting to access a resource Tableau Server user Service Provider Web server that the end user is trying to access Tableau Server Identity Provider Third party that manages identities and credentials E.g. Okta, OneLogin, Ping Identity, etc.
How does SAML work? Service provider (SP) initiated 1. User navigates to the Tableau Server sign-in page or a published workbook, and enters the user name. 2. Tableau Server starts the authentication process and redirects the request to the registered IdP. 3. The IdP requests the user s password and, after confirming that the user name submitted is identical to the user name stored in the IdP assertions, authenticates the user. 4. The IdP returns a SAML success response to Tableau Server. 5. Tableau Server displays the page the user requested in step 1.
How does SAML work? Identity provider (IdP) initiated 1. User navigates to the IdP portal 2. User clicks on link to SP 3. Creation of a SAML assertion is triggered, which is transported to the SP using HTTP POST binding 4. Access check is made to establish whether user has correct authorization to access the resource 5. If access check passes, the SP page is displayed by the browser
SAML Options Server-wide SAML authentication Server-wide local authentication and site-specific SAML authentication Server-wide SAML authentication and site-specific SAML authentication
SAML Server-wide SAML authentication All server users authenticate with the same SAML IdP Site 1 Tableau Server Site 2
SAML Server-wide local authentication and site-specific SAML authentication Users from one or more sites on Tableau Server authenticate with one or more SAML IdPs Each site can use a different IdP Site 1 Tableau Server Site 2 Users not configured to use SAML can sign in via Local Authentication
SAML Server-wide SAML authentication and site-specific SAML authentication All users authenticate with a single SAML IdP There is a default SAML IdP for users that belong to multiple sites Site 1 Tableau Server Site 2 Each site can use a different IdP
Compatibility Requirements No Kerberos No Mutual SSL To connect to a site-specific-saml enabled Tableau Server from Desktop, users must run Desktop 10.0 or later
Demo
Tableau Config
OKTA Config
OKTA Config
SAML Response
IDP Metadata
Troubleshooting Use SAMLTracer Set Log Level to Debug for wgserver: tabadmin set vizportal.log.level debug tsm configuration set -k vizportal.log.level v debug Missing username attribute Clocks not in Sync Assertion not Signed Not using HTTP-POST Destination not Matching
Resources Tableau Online Help: https://onlinehelp.tableau.com/current/server/en-us/saml.htm Step by Step guide for ADFS integration: https://onlinehelp.tableau.com/current/server/enus/saml_config_adfs_server.htm Troubleshooting Steps: https://onlinehelp.tableau.com/current/server/en-us/saml_trouble.htm Tableau Online OKTA Integration: https://onlinehelp.tableau.com/current/online/enus/saml_config_okta.htm
Please complete the session survey from the My Evaluations menu in your TC18 app
Questions?
#TC18 Thank you! Abhishek Singh (asingh@tableau.com)