Chapter 128

Configuring
Configuring Tableau Online
The following is an overview of the steps required to configure the Tableau Online
application for single sign-on (SSO) via SAML. Tableau Online offers both IdP-initiated
SAML SSO (for SSO access through the user portal or Centrify mobile applications) and
SP-initiated SAML SSO (for SSO access directly through the Tableau Online web
application). You can configure Tableau Online for either or both types of SSO. Enabling
both methods ensures that users can log in to Tableau Online in different situations such as
clicking through a notification email.
1 Prepare for Tableau Online single sign-on (see "Tableau Online

requirements for SSO" on page 128-10).

2 In the Centrify Cloud Manager, add the application and configure

application settings.
Once the application settings are configured, complete the user account mapping and
assign the application to one or more roles. For details, see "Configuring Tableau Online
in Cloud Manager" on page 128-12.
3 Configure the Tableau Online application for single sign-on.

To configure Tableau Online for SSO, copy settings from the Application Settings page
in the Centrify Cloud Manager, and paste them into fields on the Tableau Online website.
For details, see "Configuring Tableau Online on its web site" on page 128-16.
After you are done configuring the application settings in the Cloud Manager and the
Tableau Online application, users are ready to launch the application from the Centrify
user portal.

Preparing for Configuration

Preparing for Configuration

Tableau Online requirements for SSO
Before you configure the Tableau Online server for SSO, you need the following:


An active Tableau Online account with administrator rights for your organization.

A signed certificate.
You can either download one from Cloud Manager or use your organizations trusted
certificate.

Setting up the certificates for SSO

To establish a trusted connection between the web application and the cloud service, you
need to have the same signing certificate in both the application and the application settings
in Cloud Manager.
If you use your own certificate, you upload the signing certificate and its private key in a
.pfx or .p12 file to the application settings in Cloud Manager. You also upload the public
key certificate in a .cer or .pem file to the web application.
To download an application certificate from Cloud Manager (overview):
1 In the Apps page, add the application.
2 Click the application to open the application details.
3 In the Application Settings tab, click Download Signing Certificate to download and

save the certificate.

What you need to know about Tableau Online

Each SAML application is different. The following table lists features and functionality
specific to Tableau Online.

Capability

Supported?

Web browser client

Yes

Mobile client

No

SAML 2.0

Yes

SP-initiated SSO

Yes

IdP-initiated SSO

Yes

Force user login via SSO only

Yes

Chapter 128 Configuring Tableau Online

Support details

Tableaus mobile clients do not support SSO.

After SSO is enabled, users must authenticate through the

Centrify identity platform.

10

Preparing for Configuration

Capability

Supported?

Separate administrator login

after SSO is enabled (back door
login)

No

User or Administrator account

lockout risk

Yes

Support details

There is a risk of being locked out of your account if SSO is

enabled.
As a Server or Site Administrator, if you are locked out and SSO is
enabled, you must call Tableau Online to disable SSO
temporarily to bypass the lockout.
As a non-admin user, if you are locked out and SSO is enabled,
contact your Server or Site Administrator to restore access.

Automatic user provisioning

No

Multiple User types

Yes

User types in Tableau Online are called Site Roles. Server

Administrator and Site Administrator are the two site roles that
can manage a Tableau Online account, including configuring
SAML SSO.

Self-service password

No

Once SSO is enabled passwords are not required to access

Tableau Online.
A Tableau site or server administrator must change user
passwords on the Tableau Server.

Access restriction using a

corporate IP range

Cloud Manager users guide

Yes

You can specify an IP Range in the Cloud Manager Policy page to

restrict access to the application.

11

Configuring Tableau Online in Cloud Manager

Configuring Tableau Online in Cloud Manager

It is helpful to open the Tableau Online web application authentication settings page
and the Centrify Cloud Manager Application Settings window simultaneously to copy and
paste settings between the two browser windows. For information on how to access the
Tableau Online web application Admin Console, see "Configuring Tableau Online on its
web site" on page 128-16.
Tip

To add and configure the Tableau Online application in Cloud Manager:

1 In Cloud Manager, click Apps.
2 Click Add Web Apps.

The Add Web Apps screen appears.

3 On the Search tab, enter the partial or full application name in the Search field and click

the search icon.

4 Next to the application, click Add.
5 In the Add Web App screen, click Yes to confirm.

Cloud Manager adds the application.

6 Click Close to exit the Application Catalog.

The application that you just added opens to the Application Settings page.
7 Configure the following:
Field

Required or
optional

Set it to

What you do

Assertion Consumer Service

URL (ACS)

Required

Your Tableau Onlineprovided ACS URL.

Use the Tableau Online-provided

ACS URL.

Tableau Online Entity ID

Required

Your Tableau Onlineprovided Tableau Online

Entity ID.

Use the Tableau Online-provided

Online Entity ID.

Chapter 128 Configuring Tableau Online

12

Configuring Tableau Online in Cloud Manager

Field

Required or
optional

Set it to

What you do

Download Identity Provider

Metadata

Required

The cloud service

Click the link to download the
automatically generates the metadata file. Import this file
metadata content.
into Tableau Online.

Download Signing Certificate

Required

The cloud service

If necessary, click the link to
automatically generates the download the default Signing
metadata content.
Certificate. The certificate
content is automatically included
as part of the Identity Provider
metadata.
To use a certificate with a private
key (pfx file) from your local
storage, see Step 7 below.
If you replace the certificate,
download the Identity Provider
SAML metadata again and reimport it in Tableau Online.

8 On the Application Settings page, expand the Additional Options section and

specify the following settings:

Option

Description

Application ID

Configure this field if you are deploying a mobile application that uses
the Centrify mobile SDK, for example mobile applications that are
deployed into a Samsung KNOX version 1 container. The cloud service
uses the Application ID to provide single sign-on to mobile applications.
Note the following:
The Application ID has to be the same as the text string that is
specified as the target in the code of the mobile application written
using the mobile SDK. If you change the name of the web application
that corresponds to the mobile application, you need to enter the
original application name in the Application ID field.
There can only be one SAML application deployed with the name used
by the mobile application.
The Application ID is case-sensitive and can be any combination of
letters, numbers, spaces, and special characters up to 256 characters.

Cloud Manager users guide

13

Configuring Tableau Online in Cloud Manager

Option

Description

Show in User app list

Select Show in User app list to display this web application in the user
portal. (This option is selected by default.)
If this web application is added only to provide SAML for a corresponding
mobile app, deselect this option so the web application wont display for
users in the user portal.

Security Certificate

These settings specify the security certificate used for secure SSO
authentication between the cloud service and the web application.
Select an option to change the security certificate.
Use existing certificate displays beneath it the certificate currently in
use. The Download button below the certificate name downloads the
current certificate through your web browser to your computer so you
can supply the certificate to the web application during SSO
configuration. Its not necessary to select this optionits present to
display current status.
Use the default tenant signing certificate selects the cloud service
standard certificate for use. This is the default setting.
Use a certificate with a private key (pfx file) from your local storage
selects any certificate you want to supply, typically your organizations
own certificate. To use this selection, you must click Browse to upload
an archive file (.p12 or .pfx extension) that contains the certificate
along with its private key. If the file has a password, you must enter it
when prompted.

9 (Optional) On the Description page, you can change the name, description, and logo

for the application. For some applications, the name cannot be modified.
The Category field specifies the default grouping for the application in the user portal.
Users have the option to create a tag that overrides the default grouping in the user portal.
10 On the User Access page, select the role(s) that represent the users and groups that have

access to the application.

When assigning an application to a role, select either Automatic Install or Optional
Install:


Select Automatic Install for applications that you want to appear automatically for
users.


If you select Optional Install, the application doesnt automatically appear in the
user portal and users have the option to add the application.
11 (Optional) On the Policy page, specify additional authentication control for this

application.You can select one or both of the following settings:

Restrict app to clients within the Corporate IP Range: Select this option to
prevent users outside the company intranet from launching this application. To use this
option, you must also specify which IP addresses are considered as your intranet by
specifying the Corporate IP range in Settings > Corporate IP Range.

Chapter 128 Configuring Tableau Online

14

Configuring Tableau Online in Cloud Manager

Require Strong Authentication: Select this option to force users to authenticate

using additional, stronger authentication mechanisms when launching an application.
Specify these mechanisms in Policy > Add Policy Set > Account Security Policies >
Authentication.
You can also include JavaScript code to identify specific circumstances when you want
to block an application or you want to require additional authentication methods. For
details, see Specifying application access policies with JavaScript.

12 On the Account Mapping page, configure how the login information is mapped to the

applications user accounts. The options are as follows:

Use the following Directory Service field to supply the user name: Use this
option if the user accounts are based on user attributes. For example, specify an Active
Directory field such as mail or userPrincipalName or a similar field from the Centrify user
service.


Everybody shares a single user name: Use this option if you want to share access
to an account but not share the user name and password. For example, some people
share an application developer account.


Use Account Mapping Script: You can customize the user account mapping here
by supplying a custom JavaScript script. For example, you could use the following line
as a script:
LoginUser.Username = LoginUser.Get('mail')+'.ad';

The above script instructs the cloud service to set the login user name to the users mail
attribute value in Active Directory and add .ad to the end. So, if the users mail
attribute value is Adele.Darwin@acme.com then the cloud service uses
Adele.Darwin@acme.com.ad. For more information about writing a script to map
user accounts, see the SAML application scripting guide.
13 (Optional) On the Advanced page, you can edit the script that generates the SAML

assertion, if needed. In most cases, you dont need to edit this script. For more
information, see the SAML application scripting guide.
On the Changelog page, you can see recent changes that have been made to the
application settings, by date, user, and the type of change that was made.

Note

14 Click Workflow to set up a request and approval work flow for this application.

The Workflow feature is a premium feature and is available only in the Centrify Identity
Service App+ Edition. See Configuring Workflow for more information.
15 Click Save.

After configuring the application settings (including the role assignment) and the
applications web site, youre ready for users to launch the application from the user
portal.

Cloud Manager users guide

15

Configuring Tableau Online on its web site

Configuring Tableau Online on its web site

To configure Tableau Online for SSO:
1 In your web browser, go to the following URL and sign in with your administrator

account credentials:
https://auth.tableausoftware.com/user/login

2 Select the site you want to configure for SSO and then select Settings >

Authentication.
3 On the Authentication page, select Single sign-on with SAML.
4 Import metadata from the Identity Provider, then click Apply.
5 Click Test Login. Tableau Onlines SSO User Details page appears in a new browser

window if you are currently logged in to Cloud Manager.

If you are not logged in to Cloud Manager, enter your login credentials.
If you encounter an error, verify that your active Cloud Manager user has access to
the application, then download the IdP metadata again and import it.

Note

6 Close the SSO User Details page.

7 In Match assertions > Display Name, select Full name, then click Apply.
8 Select existing Tableau Online users, or add new users that you want to approve for SSO.

As soon as you change authentication method of users to SSO, these users

(including active Server or Site Administrators) are forced to log out from Tableau
Online to begin using SSO.

Note

Centrify recommends having at least one Server or Site Administrator account that
does not use SSO for authentication due to the risk of lockout. If all administrators are
locked out, you can contact Tableau Online Support to either disable SAML or change
one of your administrator users to use the Tableau Online ID authentication method.
Note

9 Click Save and Enable to save the configuration and enable single sign-on.

For more information about Tableau Online

For more information about configuring Tableau Online for SSO, contact Tableau Online
Support:
http://www.tableau.com/support/tableau-online-services

Chapter 128 Configuring Tableau Online

16