Introduction
This document explains how to configure and manage Tableau Server SAML integration with the PureAUTH Identity Platform and make Tableau Server authentication Passwordless.
Prerequisites
- Must have TSM (Tableau Services Manager) administrator access.
- The Tableau server must be running on HTTPS.
- The SSL certificate and SSL certificate key file must be on the server.
Setup Tableau Server application on PureAUTH
In this step we will add a new tableau application on N4cer. Please follow the steps given below:
- Login to https://live.pureauth.io/organizations/dashboard.
- Go to the “Applications” tab on the left pane.
- Click on “Add Application”.
- Select “Tableau” application.
- Enter any application name.
- Select “Primary (Corporate email)” in the dataset for the email field.
- In the “SAML Response Endpoint (ACS URL)” field, enter the following URL for now (It will change according to SP Metadata).
www.example.com
- In the “Audience (Entity ID)” field, enter the following URL for now (It will change according to SP Metadata).
www.example.com
- Click “Add”
https://<tsm-computer-name>:8850
Tableau Server SAML Configuration
Tableau server configuration includes uploading the SAML certificate file and SAML certificate key file.
This process requires the SAML certificate file and SAML certificate key file to be stored on the local computer where you access the TSM web interface.
Note: If you use the same certificate files for SSL, you could use the existing SSL certificates and SSL key for configuring SAML.
- Open TSM in a browser.
https://<tsm-computer-name>:8850
- On the “configuration” tab, select “User Identity & Access”, and then select the “Authentication Method” tab
- For “Authentication Method”, select SAML
In the SAML section that appears, complete Step 1 in the GUI, entering the following settings (do not yet select the check box to enable SAML for the server):
- Tableau Server return URL – The URL that Tableau Server users will access, such as https://tableau-server.
Note: Using https://localhost or a URL with a trailing slash (for example, http://tableau_server/) is not supported.
- SAML Entity ID – Enter again tableau server URL here.
- SAML certificate file and SAML key file: Click “Select File” to upload each of these files.
Note: If you use the same certificate files for SSL, you could use the existing SSL certificates and SSL key for configuring SAML here.
After you provide the information required in Step 1 in the GUI, the Download XML Metadata File button in Step 2 in the GUI becomes available.
- Now select the Enable SAML authentication for the server check box above Step 1 in the GUI.
- Click “Download XML metadata file”
Here, we need to update the required URL’s in the PureAUTH, as mentioned in the Setup Tableau Server application on PureAUTH section above.
Replace URL in the PureAUTH
- Open Tableau Metadata file
- Copy the Entity ID from the metadata and paste it into the “Audience (Entity ID)” field in the tableau server application in PureAUTH.
- Copy the AssertionConsumerService Location from the metadata and paste it into the “SAML Response Endpoint (ACS URL)” field in the tableau server application in PureAUTH.
- Copy the SingleLogoutService Location from the metadata and paste it into the “SAML Logout Response Endpoint (SLO URL)” field in the tableau server application in PureAUTH.
- Click “Save Changes”
Create IDP Metadata
- Go to https://www.samltool.com/idp_metadata.php
- Copy the IDP “Entity ID” from PureAUTH under the SAML Settings and paste it into the Entity ID field.
- Paste the same into the Single Sign On Service Endpoint (HTTP-REDIRECT) field.
- Copy the IDP “SAML Logout URL” from PureAUTH under the SAML Settings and paste it into the Single Logout Service Endpoint (HTTP-REDIRECT) field.
- Copy the IDP “X.509 CERTIFICATE” from PureAUTH under the SAML Settings and paste it into the SP X.509 cert (same cert for sign/encrypt) field.
Note: Copy the X.509 certificate from – – – – begin certificate – – – to – – – – end certificate – – – – .
- Scroll down and click on the “BUILD IDP METADATA” button.
- Copy the IdP metadata and paste it into Notepad.
- In the IdP metadata, change the year in the “ValidUntil = ” field from 2023 to 2033.
- In the IdP metadata, change the Bindings from HTTP-Redirects to HTTP-POST
- Save the file with the .xml extension. Ex. tableaumetadata.xml
Note: Save the .xml file to the same location that holds your SAML certificate and key files.
- In Step 4, click “Select file” to upload the IdP metadata file.
- In Step 5, all the required attributes are already mapped in the application itself, as mentioned in the Setup Tableau Server application on PureAUTH section above.
- For Step 6 in the GUI, select the Tableau applications in which you want to give users a single sign-on experience.
- For Step 6, Copy the IDP “SAML Logout URL” from PureAUTH under the SAML Settings and paste it into the SAML Sign-out redirect field.
- Click “Save Pending Changes” after you’ve entered your configuration information.
- Click “Pending Changes” at the top of the page:
- Click Apply Changes and Restart.
- Congratulations! You are now using Google Workspace passwordless.
Test SAML Authentication
- Open the New Incognito window.
- Go to Tableau server Endpoint. https://tableau-server
- The browser redirects you to the PureAUTH sign-in Page.
- Open the AuthVR5 Authenticator application and Scan the QR using the swift login button.
Disable SAML Authentication
- on the Authentication Method page in the TSM.
- Uncheck the Enable SAML authentication for the server checkbox.
- Click Save Pending Changes and click Apply Pending Changes