How to configure Tableau SAML SSO with Salesforce Identity (and some key gotchas)

The process to configure Salesforce as Single Sign-on IdP for Tableau Online (or Tableau Server) can be super frustrating and difficult to debug.

In this short video, you’ll see a step-by-step and the main gotchas you might encounter when trying to integrate this method of Authentication to your Tableau Online and Salesforce Connected App.

You’ll also see in acton some of the tools I use to troubleshoot eventual SAML configuration errors. Namely these are:

The official Guide from Tableau on how to configure this can be found here.

Some additional gotchas worth noting (not all mentioned in the video):

a) Tableau Online now requires messages to be signed with SHA-256 hash algorithm, as opposed to SHA-1. Make sure to configure your IdP (SF SAML config) to use SHA-256. Salesforce launched this feature on the Winter ’21 release and fixed a related bug in early January 2021.

b) When embedding Tableau views, make sure to enable the following two settings (Authenticate using an iframe and set the default authentication type for embedded views to be SAML):

c) If you are running into CSP (Content Security PoLicy) issues, note that Salesforce Winter ’21 has some new security ‘enhancements’ that now will require you to whitelist your Tableau Server/Online/Public if you are embedding into SF. The Tableau LWC embed component was patched in early October 2020, so if it has been installed from the AppExchange, you should have received the update automatically. NOTE: The LWC patch only addresses the domain, so it fixes Tableau Online and Tableau Public. If you are still having an issue or has a Tableau Server, you might need to do the following:

  • In Salesforce go to Setup, Security, CSP Trusted Sites
  • Add an entry for https://* (this will whitelist Online and Public).
  • For Tableau Server add an entry for the server = https://*.{Tableau Server Domain}. The * is a wildcard to capture all entries with that domain.

d) Integration with Tableau Server is not very different:

  • Make sure to enable SSL, even if it is a self-signed certificate. Salesforce will offload to SSL by default, so you’ll be in trouble if not. Note: it’s still technically possible in HTTP, but requires some cumbersome settings on Salesforce side. If you happen to need help installing a Self-Signed cert on your Tableau Server instance (for testing purposes), feel free to follow my quick tutorial.
  • If you plan to use Server-Wide SAML, enable it with the following commands (you can use your self-signed cert here):
tsm authentication saml configure --idp-entity-id <tableau-server-entity-id> --idp-return-url <tableau-server-return-url> --cert-file <path-to-saml-certificate.crt> --key-file <path-to-saml-keyfile.key>
  • Here, make sure — idp-entity-id <tableau-server-entity-id> is HTTPS Protocol!

e) Additional steps to enable Site-Specific SAML on Tableau Server:

tsm authentication sitesaml enable
tsm pending-changes apply

All information on Site-Specific SAML can be found here.

Hope this is useful to some of you :D

Data Geek