Tableau Server auth with SAML on Azure AD

Internal and External users (B2B)

SAML is a common authentication method that I see when I work with my customers and many of them use Microsoft Azure AD.

In this article, I will cover an end to end scenario on how to setup server-wide SAML for an environment that uses Tableau iDP to store users.

Tableau and Microsoft have both written articles on how to setup their own parts of the configuration but very few have covered an end to end deployment in one go.

Pre-requisites

HTTPS has to be configured on Tableau Server to be able to authenticate using SAML on Azure AD.

Deployment

Follow the steps below to setup SAML auth on Tableau server together with Azure AD

Tableau Server

1. Login to the Tableau Server TSM console (below is the url to the Tableau Server TSM Console that I use in my example)

https://tableau.mylab.net:8850

2. Go to Configuration / User Identity & Access / Select SAML in the Authentication Method drop-down

3. Check the Enable SAML authentication for the server box

4. Type in the url to your Tableau server in the Tableau Server return url box (below is the url to the Tableau Server site that I will be using in my example)

https://tableau.mylab.net

5. Type in a unique SAML entity ID that Tableau will use to find the SAML provider when it talks to Azure AD

(below is my example)

tableau_prod

6. Upload you SAML certificate (.crt file)

7. Upload your SAML key file (.key file)

There are many different ways of creating self-signed certificates. In the example below I will be using openssl to create my SAML Certificate (.crt) and Key (.key ) files. If you want to use a different method please read Rory Brabroks article Generating self-signed certificates.

Example on how to create .crt & .key file
openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
openssl rsa -passin pass:x -in server.pass.key -out server.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -sha256 -days 3650 -in server.csr -signkey server.key -out server.crt

8. Press Download XML Metadata File

(In my example the xml file that is produced by the Download action is named as in the example below)

Tableau Server SAML.xml

Microsoft Azure

9. Login to your Azure portal and navigate to Azure Active Directory / Enterprise Applications.

10. Select Create New Application and search for Tableau Server

11. Fill in a unique name and click Add

(In my example I used the name as shown in the example below)

Tableau_Server_Production

12. Go back to Enterprise Applications and select the Application that you created in step 11 (Tableau_Server_Production)

13. Select Setup single sign-on

14. Select Upload metadata file and upload the file that you created in step 8

(In my example the xml file is named as in the example below)

Tableau Server SAML.xml

15. Confirm that Identifier (Entity ID) and Sign on URL are filled in correct

16. Change the Value for the Claim name username from user.onpremisesuserprincipalname to user.userprincipalname

user.userprincipalname will work if you are authenticating internal users only but in a B2B where you would add Azure AD Guest users, I would recommend that you replace user.userprincipalname with user.mail.

See the example below:

17. Click Download under SAML Signing Certificate/Federation Metadata XML

(In my example the SAML signing Cetificate Download action produced the file below)

Tableau Server Production.xml

18. In the Azure Portal go to Users and Groups for the Tableau Application that you created in step 10 (Tableau Server Production) and add the user/users that will be using Tableau to it or add an Azure AD Group that contains the users.

Important

The users will not be able to login to Tableau if they do not have permissions to the Tableau Server Production Application.

Tableau Server

19. Go back to your Tableau Server and continue where you left off in step 7.

20. Under Upload your iDP metadata XML file, click Select File and select the file that you downloaded in step 16.

(In my example the xml file is named as in the example below)

Tableau Server Production.xml

21. Leave the information below as it is

22. Apply pending changes on the Tableau Server

23. Go to your Tableau Server url and you should now be redirected to Azure AD sign in page. Fill in your username and password and you should have access to Tableau server

https://tableau.mylab.net

Now some of you might be wondering what the username should look like for SAML to work with Azure AD. Well for an Azure AD user named John Green with username johng@mylab.onmicrosoft.com to be able to login to Tableau he would have to have a user on a Tableau site named johng@mylab.onmicrosoft.com and that user has to be assigned a site Role (Creator, Explorer or Viewer) to be able to login to a Tableau site

Azure AD user properties

Tableau User

Tableau user Properties

What about Azure B2B users

For an External user named Lisa Right with email address lisar@otherlab.com to be able to login to Tableau she would need the following:

1. Add the user lisar@otherlab.com as Guest user to Azure AD
2. Give lisar@otherlab.com permissions to the Azure Enterprise Application that you created in step 11.
3. Add lisar@otherlab.com to a Tableau site
4. Assign a site role (Creator, Explorer or Viewer) to lisar@otherlab.com

I hope that this article helped you and that you now have a fully functioning SAML authentication on your Tableau environment

Below is an overview of what goes where from Tableau into Azure AD and the other way around.

What goes where