This guide will take you through step-by-step in setting up Password-free Multi-Factor Authentication (MFA) and Single Sign-On (SSO) for Tableau.
- Ensure you have the correct access to make changes on your Tableau account. If not, speak to your administrator.
- Download the idenprotect Authentication Portal metadata file in preparation by going to https://<your idenprotect Server URL>/idp/metadata and saving the page as an xml file on your PC. This can be done by right-clicking on the body area of the web browser and save as.
Starting the idenprotect Tableau MFA and SSO Configuration
- Logon to your Tableau portal, go to settings on the bottom of the left-hand side of the panel and select the Authentication tab.
- You will see the Authentication types. Click on the Enable an additional authentication method and select SAML. You may need to click on the Edit Connection….if the rest of the configuration options do not appear. Please note: Tableau authentication cannot be turned off, the SSO aspect is based on users and groups. (information on that will follow shortly)
- Under Export metadata from Tableau, click on the Export metadata button if you require all of the metadata or copy the two URLs below that are listed in the Tableau Online entity and the Assertion Consumer Service URL – these are needed to configure idenprotect to provide MFA and SSO to Tableau.
Start the Configuration of idenprotect for Tableau
- In the idenprotect Core Platform admin console, navigate to Config, select the Authentication Portal tab and click on Authentication Portal Service Providers.
- On the configuration screen a new service provider will need to be created. The following attributes will need to be added:
- Name: Please select a name for the service provider (for example, Tableau)
- Type: SAML
- Entity ID: https://sso.online.tableau.com/public/sp/metadata?alias=<Tableau generated alias code>
- ACS: https://sso.online.tableau.com/public/sp/SSO?alias=<Tableau generated alias code>
- SSO URL: https://sso.online.tableau.com/public/idp/SSO
- SAML Sign On Binding: HTTP-Post
- SAML Logout Binding: HTTP-Post
- Add a logo to the service provider
- Permitted Authentication Type – Select the authentication technology in use (idenprotect Login is Default)
|3.||Once the details have been added, click Save Service Provider|
|4.||The next screen will show the additional attributes. For now, return to the Tableau portal for the next step of the configuration.|
Completing the idenprotect Tableau MFA and SSO Configuration
- In the section Import metadata file into Tableau, select browse and browse to where you downloaded the metadata file from your idenprotect Authentication Portal. Click Apply to apply the details of the idenprotect server in Tableau. You will see both IDP entity ID and SSO Service URL have been populated with your idenprotect details. Click the Test Connection to verify the connection. If successful, move to the next step.
|2.||The section Match attributes provides the information that Tableau requires to successfully allow a user to gain access via the idenprotect MFA and SSO service. Ensure you note that the NameID will need to be mapped to email and the Display Name will be required to be mapped also.|
|3.||On the section Embedding options, ensure that Authenticate in a separate pop-up window is enabled.|
|4.||On the section Default Authentication Type for Embedded Views, select idenprotct.com (SAML).|
|5.||In the Manage users section, the users and groups that need to be added to use SSO should be added here. If adding users, use the Add users link and you will see a screen such as this, select the idenprotect (SAML) button if those new users are to use idenprotect MFA and SSO.|
|6.||If adding existing users or groups, then select the Select users link. A screen like this will show. To make changes, select the options button at the side of the email address and select Authentication, there you can select or change the SSO settings.|
|6.||The Tableau configuration is now complete. Please return to the idenprotect configuration to complete.|
Complete the Configuration of idenprotect for Tableau
- The screen that now remains to be configured is the attributes screen. This should still be open from the previous section where you started to configure Tableau for idenprotect. If it has timed out, log into the idenprotect Core Platform admin console, click Config, select the Authentication Portal tab, select the Authentication Portal Service Providers link, find Tableau, click amend, save the service provider settings and you will be at the Attributes screen.
- The additional attributes that are needed to access Tableau are configured here. Both displayName and NameID attributes need to be provided with the correct values provided either from LDAP, Active Directory or from the idenprotect directory. How to add Attributes can be found here. Both the displayName and NameID should be added under the “LDAP Friendly Name” with the correct “SAML Attribute Name” added, for example, if using Active Directory, you will need to map “displayName” with “displayName” and “NameID” with “mail”.
- Once added, click the Save SAML Attributes to save the settings
= You are now ready for testing
Verify the SSO and MFA
To test the MFA and SSO settings, either use the Tableau URL or your corporate idenprotect URL. You will see the idenprotect login page
- Add in your email address and click authenticate
|2.||Using your chosen method of authentication, authenticate with the service.|
|3.||You will then see a Tableau login screen. If you are an SSO user, as soon as you add your email address, the password field will disappear, and you will be logged straight into Tableau.|