Configuring Auth0 as SAML SSO Identity Provider for Tableau

Lately I’ve been noticing Auth0 IdP growing in popularity and an increasing number of Tableau customers have been adopting it. That’s no surprise to some of you, as Auth0 is one of the major challengers in the Gartner Magic Quadrant for Access Management (IDaaS - Identity as a Service).

Having said that, a barrier to adoption of Auth0 as an IdP for Tableau is their integration documentation is not very clear and that has discouraged some folks pursuing this integration. Additionally, as of this writing, some of the Auth0 docs refer to SHA-1 encryption, but Tableau Online now enforces SHA-256. Personally, I’ve only managed to get this integration working by following the manual configuration steps which I’m sharing here in this post.

The method below was tested in Tableau Online, but should work similarly with Tableau Server (and may not be the only solution, but one that seems to work flawlessly for me). Let’s go!

1. Go to your Tableau Online or Server instance and fetch the ACS URL and Entity ID

• As an Admin, go to Site Settings > Authentication tab and “Enable an addition authentication method”
• Fetch your Entity Id and ACS URL. We’ll need to enter these values in Auth0

Note: this screenshot apply to Tableau Online SAML and Tableau Server Site-Specific SAML. If you are doing this as Tableau Server Server-Wide SAML, use the TSM web interface or CLI instead.

2. Go Auth0’s Admin Dashboard panel

3. Go to Application > Create New Application. We’ll call it “Tableau Online SSO”

4. On this newly created application go to the Addons tab and Enable SAML2 WEB APP

5. Go to the Settings tab of this SAML2 WEB APP and add the Tableau Online ACS URL you got in step 1

6. Let’s modify the XML settings for this SAML2 Web App. Replace the full XML text with the following, but make sure to set the following parameters (from step 1):

• Audience → Tableau Entity ID
• Recipient → ACS URL
• Destination → Tableau ACS URL

Notice we’ve also changed the encryption algorithm to SHA256.

For the logout callback url part of this xml, we need to grab this from the usage tab, in my case alexeski.eu.auth0.com

Optionally, should you wish to encrypt the SAML requests, please check the configuration instructions at the end of this page.

Make sure to scroll all the way down on the settings tab and enable the xml metadata changes.

7. Under your new SAML2 Web APP, go to Usage tab and download the “Identity Provider Metadata” xml file. We’ll import that back in Tableau on the next step.

8. Back in Tableau SAML config step #4, Import the metadata file and hit apply. You should see all fields getting automatically filled for us and, if you did everything right, click “Test Connection” to confirm a successful SAML integration.

This is how your Tableau step 5 will look like. No need to change anything here as we’ve already configured on the metadata XML to use SAML claims based on the email:

9. Still in Tableau: If you intend to embed visualisations on a third-party portal and use this as SSO auth method, make sure to enable iframe authentication:

Additionally, make sure to set Auth0 SAML as the default authentication method for Embedded Views

Testing the SAML integration

1. In Tableau, go to Settings > Users > Add a new user and set the authentication method to Auth0 SAML

2. Back in Auth0, let’s add a new user there too with the same email address (emails on both systems must match):

3. Now we’re ready to test. Open a new Incognito Browser session, then go to https://online.tableau.com and enter your test email address. You should be automatically redirected to Auth0 to complete the authentication.

After entering my credentials, I’m successfully redirected back to Tableau :D

Additionally, if you’ve decided to embed Tableau on a third party application that uses the same Auth0 SAML Idp, your view should have automatically rendered (i.e. no need to sign-in again on the Tableau frame).

Congratulations! You have successfully configure Tableau Authentication with Auth0 IdP 💪

Encrypting SAML requests (Optional Step)

Should you have a requirement to encrypt SAML requests, here’s how we enable it:

1. Go to Tableau’s SAML config page and download the .cer certificate file. This

2. Auth0 expects a PEM-encoded certificate, so we need to convert our .cer file to .pem. We’ll use openssl for that on the terminal:

openssl x509 -inform der -in <tableau-certificate.cer> -out certificate.pem

3. Use your favourite text editor on the certificate.pem file to replace all the new lines by the “\n” character. The modified signing certificate text we need to add to the Auth0 SAML2 Web App config will look something like this:

4. In Auth0, go back to the SAML2 Web App settings and uncomment the “signingCert” part to add this string:

“signingCert”: “ — — -BEGIN CERTIFICATE — — -\nMIICozCCAgygAwIBAgIGAWjCqMLzMA0GCSqGSIb3DQEBCwUAMGwxOz….

…e9PEGbqBw2cNWsxLvAorZ5w9\n3vxZdJOV2nxyC7QSTTkBdRsZhjB0ULiEBibogzgM1ZkJ/6p1ez3MeGd4LUrevPMk\nAMxD0fdv6Q==\n — — -END CERTIFICATE — — -\n”

Now, simply repeat the steps up above in this document to a) export xml metadata from Auth0, b) import this metadata into Tableau’s SAML config.

All your SAML requests should be encrypted now 😃

Happy days!