Was this page helpful?
Yes No

Configure SAML with OneLogin

If you use OneLogin as your SAML identity provider (IdP), you can use the information in this topic to set up SAML authentication for your Tableau Online site.

These steps assume that you have permissions for modifying your organization’s OneLogin portal, and you are comfortable reading XML and pasting values into attributes.

Note: These steps reflect a third-party application and are subject to change without our knowledge. If the steps described here do not match the screens you see in your IdP account, you can use the general SAML configuration steps, along with the IdP’s documentation.

Get the Tableau Online metadata

  1. Sign in to your Tableau Online site as a site administrator, and select Settings > Authentication.

  2. On the Authentication tab, select Enable an additional authentication method > SAML.

  3. In Step 1, click Export metadata and save the metadata file to your computer.

You will need to have access to this file and the Tableau Online Authentication page when you configure the OneLogin connector.

Add a connector to your OneLogin portal

  1. In a web browser, sign in to your OneLogin portal as an administrator, and select Apps > Add Apps.

  2. On the Find Application page, search for Tableau, and in the results, select Tableau Online SSO.

    In this area you configure the SAML connection.

  3. On the Info page, set up your portal preferences.

  4. On the Configuration page you use information from Step 1 on the SettingsAuthentication page in Tableau Online.

    1. For Consumer URL, on the Authentication page, select and copy the Assertion Consumer Service URL (ACS).

      Come back to the OneLogin page and paste that URL into the Consumer URL field.

    2. For Audience, paste the Tableau Online Entity ID from the Authentication page.

  5. On the Parameters page, make sure the values appear as follows:

    Tableau Online field Value
    Email Email
    Email (attribute) Email
    First Name First Name
    Last Name Last Name
  6. Return to the Tableau Online Authentication page, and for step 5 Match assertions, set the values in the IdP Assertion Name column as follows:

    • Email: Email

    • Select the First name, Last name radio button.
    • First name: firstname
    • Last name: lastname

Configure OneLogin metadata for Tableau Online

For these steps you will find and configure OneLogin information that you will take back to Tableau Online to complete the SAML configuration.

  1. On the SSO page, select and copy the URI shown in the SLO Endpoint (HTTP) field.

    Note: Although the label indicates HTTP, the URI provided is an https address, because the SLO (single logout) endpoint uses SSL/TLS encryption.

  2. On the same page, select More ActionsSAML Metadata, and save the file to your computer.

  3. Open the metadata file in a text or XML code editor, and within the IDPSSODescriptor element, add the following new element:

    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="slo-endpoint-https-uri-goes-here"/>

  4. For the Location attribute of the new element, within the quotation marks, paste the SLO endpoint value you copied in step 1 of this procedure.

    The following image shows a sample, with the new element highlighted in yellow, and using a placeholder 123456 in the Location value.

  5. Save the metadata file.

    You will import this file to Tableau Online in the next section.

Complete the SAML configuration

  1. On the Tableau Online Authentication page, for step 4, import the OneLogin metadata file you saved in the previous section.

  2. Because you completed step 5 earlier, you can skip to steps 6 and 7, adding SAML users to your site and testing the connection.

(Optional) Enable iFrame embedding

When you enable SAML on your site, you need to specify how users sign in to access views embedded in web pages. These steps configure OneLogin to allow your OneLogin dashboard to be embedded into an inline frame (iFrame) on another site. Inline frame embedding may provide a more seamless user experience when signing-on to view embedded visualizations. For example, if a user is already authenticated with your identity provider and iFrame embedding is enabled, the user would seamlessly authenticate with Tableau Server when browsing to pages that contain an embedded visualizations.

Caution: Inline frames can be vulnerable to a clickjack attack. Clickjacking is a type of attack against web pages in which the attacker tries to lure users into clicking or entering content by displaying the page to attack in a transparent layer over an unrelated page. In the context of Tableau Online, an attacker might try to use a clickjack attack to capture user credentials or to get an authenticated user to change settings. For more information about clickjack attacks, see Clickjacking on the Open Web Application Security Project website.

  1. Open a new browser tab or window, and sign in to your OneLogin Administrator Portal.

  2. On the Settings menu, click Account Settings.

  3. On the Basic page, in Framing Protection, select the Disable Framing Protection (X-Frame-Options) checkbox.