Author: Peruri Mohana Satya
This blog provides information about what is Single Sign-on (SSO), How it is helpful, and how to integrate Tableau with Okta for SSO with a step-by-step explanation.
Introduction
Single Sign-on provides secure authentication for users to access multiple applications and websites using one set of credentials within a single domain.
It is helpful for organizations that deal with a large number of applications to provide a single interface for their employees to access multiple applications.
Federated Identity Management, also known as federated SSO, enables single sign-on to applications across multiple domains and authenticates users through external identity providers.
Okta acts as SAML (Security Assertion Markup Language) Identity Provider and uses SSO to authenticate the users. Some of the primary capabilities of Okta are mentioned below:
Create, update, and deactivate users
Sync Password
Group push
Group Linking
Automatically provision users created in Okta to the target application
Tableau SSO using Okta
1. Sign in to your Tableau Online site as a site administrator. If you do not have an account, sign up to create a new account using the link below. You will get an email to activate your site. Click activate, set password, and sign in.
https://sso.online.tableau.com/public/idp/SSO
2. After Login, For SSO implementation, under Settings, go to the authentication tab, Enable additional authentication methods, select okta.com (SAML), and Edit the connection as shown in the below image.
3. Export an XML file that contains Tableau online metadata (Export Metadata) and make a copy of the Single Logout URL, which is similar to the below tag, mentioned in the XML file Location="https://sso.online.tableau.com/public/sp/SLO?alias=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”
4. Copy Tableau entity ID and ACS URL individually and download the Tableau online certificate, which is required in further steps.
5. Now go to Identity Provider (IdP) website. Here, it is Okta. Log in to your Okta account. If you do not have one, sign up for a free trial account using the link below. You will get an email to activate your account. Click on activate, set password, and log in. https://www.okta.com/free-trial/customer-identity/
6. After login, you can see the Okta dashboard. Under applications, go to applications and click on browse app catalog.
7. Search for the Tableau Online application and click on add.
8. After that, you are redirected to the general settings page. There, enter your application label and click on done.
9. Next, in the sign-on tab, click on edit and select SAML 2.0 as the sign-on method, enable single logout, and upload the Tableau online certificate downloaded in step 4. Open view setup instructions and download IdP metadata for further use.
10. Next, Under advanced sign-on settings, paste the Tableau entity ID, ACS URL, and Single logout URL that you copied in steps 3 and 4 and click on save.
11. Now, on the Tableau online site, upload the Idp metadata file downloaded in step 9 and click on apply.
12. Under Match attributes, Select email as email, display name as first name and last name, and click on apply.
Configuring Tableau for auto-provisioning of users created in Okta
13. For auto-provisioning of users, In Tableau online, enable SCIM, copy the Base URL, click on generate a new secret key and make a copy of it.
Configuring Okta for auto-provisioning of users into Tableau
14. In Okta, go to the Tableau online application and click on the provisioning tab.
15. Click on Configure API Integration. Next, enable API Integration and paste the base URL and API Token copied before (step 13), click test credentials, and save.
16. Next, select the “To app” option in the left side menu, enable all provisioning features, and save them.
17. Similarly, select the “To Okta” option in the left side menu; in user creation and matching, select email matches.
18. Once the connection is successful, users created in Okta are automatically provisioned into the target application (Tableau) without manually adding them.
Creating Users and assigning to Tableau application in Okta
19. In Okta, under the directory, click on people and add users, as shown below. Instead of adding users individually, you can import all users from a CSV file at a time.
20. After creation, users will receive an activation link where they can activate their Okta account and set a password.
21. After that, under application, click on applications, go to Tableau Online, and under the assignments tab, add the application to the users. Check username, select site role, click save and go back.
22. If provisioning is not enabled, users must be manually created in the target application.
23. For that, In Tableau online, go to the Users tab, click add users and add users by email, select the authentication type as Okta.com (SAML), enter the email address, and select site role. Once users are added, they will receive an invite link to access the site.
24. Once a user clicks on that link, they can enter their Okta credentials and access the respective target application and done.
References:
[1]. Configure SAML with Okta [Tableau Documentation]. Retrieved from
https://help.tableau.com/current/online/en-us/saml_config_okta.htm
[2]. How to configure SAML 2.0 for Tableau online [Okta]. Retrieved from