You don’t want your users to log into Salesforce only to find a Tableau login screen where the dashboard is supposed to be. To avoid this, once your dashboards are embedded, you’ll want to set up single sign-on across the two applications. The legacy way of doing this with Tableau Server requires several steps to set up trusted authentication between your identity provider, Salesforce and Tableau. The goal of this article is to answer the same. This method takes advantage of Tableau's SAML authentication capabilities to establish single sign-on (SSO).
Alright, let's get started!
Simplified SAML architecture
A person accesses Salesforce and inputs their username to log in.
The Salesforce platform initiates the authentication procedure and forwards the request to the designated identity provider.
The identity provider then asks for additional information from the user and verifies their identity.
Upon successful authentication, the identity provider sends a SAML success response back to Salesforce.
The person is then able to navigate to a page featuring a Tableau dashboard.
Salesforce passes along the SAML success response to Tableau,
Tableau confirms the user's permission to view the dashboard and presents it.
In order to make all the above work, you will need to do a little setup in Tableau and Salesforce.
Step 1: Add SSL certificate and key
Encryption of HTTP traffic via SSL certificates is necessary. To set it up, we would need to upload an SSL certificate file (.crt) and an SSL certificate key file (.txt).
The Next Step will be a part of the Salesforce configuration.
Step 2: Enable the Identity provider
To activate Salesforce as an Identity Provider (IdP), navigate to the "Identity Provider" option within the "Setup" app. Then, enable the IdP by checking the relevant box. To set up the certificate, you have the option of using the available self-signed certificate or creating a new one.
After enabling the IdP, you will be directed to a page with its description. At the top of the page, click the "Download Metadata" button to obtain the necessary configuration for Tableau Server. The downloaded file will have a distinctive name, but for the purposes of this guide, it will be referred to as "Salesforce-SAML-Metadata.xml."
At the bottom of the page, locate the "Service Providers" section. Here, you will find a link to create a new connected app.
The next step involves setting up SAML for Tableau.
Tableau offers SAML configuration for either the entire Server or for specific sites. For this guide, we will configure a Server-wide SAML for single sign-on.
Step 3: Create a User
When setting up SAML for single sign-on, the authentication process will use a user login from Salesforce. Therefore, it's important to create the corresponding user on Tableau Server prior to the SSO start. To ensure a successful login, make sure to create the Tableau user with the same username as in Salesforce.
Step 4: Place Metadata, Certificate, and Key file in Tableau Server Directory
In the previous step, you should have downloaded the metadata file "Salesforce-SAML-Metadata.xml." Copy this file to the folder "C:\Program Files\Tableau\Tableau Server\SAML" (create this folder if it doesn't exist). To configure Tableau Server for SAML, you will need the certificate files (.cert and .key) from the IDP (Salesforce). Place these certificates and key files in the same location as the metadata file.
Step 5: Configure SAML on Tableau Server
To complete this step, sign in to the Tableau Server Manager using a browser. Then, go to the "Configuration" tab, select "User Identity and Access," and choose "Authentication Method." From there, select SAML as the authentication method.
After selecting SAML, enter the Tableau Server URL in the "Tableau Server return URL" field, such as "https://tableau-server." Next, specify the SAML entity ID. You can use the Tableau Server URL in this field as well. Finally, upload the SAML certificate and key files provided by the IDP, and enable the "SAML Authentication" checkbox.
After entering the above information, you will need to download the generated XML metadata file. This file will contain the necessary details to recover the ACS URL and EntityID, which will be shared with Salesforce.
Additionally, to allow users to sign out after signing in with SAML (single logout or SLO), you will need to provide a SAML sign-out redirect URL on the Tableau Server. To enable this, the IDP must be configured with a SAML Logout endpoint that sends a POST request to the following URL: "https://<tableau-server>/wg/saml/SingleLogout/index.html."
Once you have completed all the necessary configurations, select "Save Pending Changes" at the bottom. This will prompt a pop-up window at the top of the page. From there, choose "Pending Changes" and click "Apply Changes and Restart." This will restart the server and will take around 20 minutes to complete.
To create a Connected App in Salesforce, you will need a few attributes from the Tableau Server. These can be obtained from the Tableau Metadata file. Open the metadata file and search for the entityID and location within it. The entityID refers to the EntityID, and the location refers to the ACS URL.
The required attributes should look similar to the following:
Entity ID = "https://www.sftableau.xyz.com",
ASC URL ="https://www.sftableau.xyz.com/wg/saml/SSO/index.html"
Next, we will move back to Salesforce to create a connected app.
Step 6: Create a Salesforce Connected App
To create a Connected App in Salesforce, you need to go to the "Identity Provider" option using the Quick Find search. Then, under the "Service Providers" section at the bottom of the page, click the link to create a new connected app.
On the screen for creating a new connected app, enter the basic information fields marked in red, such as the app name, API name, and contact email.
Under Web App Settings, click Enable SAML checkbox.
Enter the Start URL, by default which is the Tableau Server URL.
Enter Entity ID and ACS URL from the Tableau server in the required fields.
In the IDP certificate, from the dropdown, select the same certificate that has been shared with Tableau Server.
Keep the Signing Algorithm for SAML messages as SHA256.
To automatically log out users from Connected App when logged out of Salesforce, Enable Single Logout.
In the Single Logout URL, enter the same SAML sign-out redirect URL entered on Tableau.
For Single Logout Binding, choose HTTP POST.
Finally, Save the changes on the Connected App page.
This creates a Connected App for SAML integration with Tableau Server.
Step 7: Test Connection
Open Tableau in your web browser, and that should be redirected to Salesforce to log in. Make sure the usernames should match in both Salesforce and Tableau.