How to configure Tableau SAML SSO with Salesforce Identity IdP(and some key gotchas)

  • In Salesforce go to Setup → Security → CSP Trusted Sites
  • Add an entry for https://* (this will whitelist Online and Public).
  • For Tableau Server add an entry for the server = https://*.{Tableau Server Domain}. The * is a wildcard to capture all entries with that domain.
  • Make sure to enable SSL, even if it is a self-signed certificate. Salesforce will offload to SSL by default, so you’ll be in trouble if not. Note: it’s still technically possible in HTTP, but requires some cumbersome settings on Salesforce side. If you happen to need help installing a Self-Signed cert on your Tableau Server instance (for testing purposes), feel free to follow my quick tutorial.
  • If you plan to use Server-Wide SAML, enable it with the following commands (you can use your self-signed cert here):
tsm authentication saml configure --idp-entity-id <tableau-server-entity-id> --idp-return-url <tableau-server-return-url> --cert-file <path-to-saml-certificate.crt> --key-file <path-to-saml-keyfile.key>
  • Here, make sure — idp-entity-id <tableau-server-entity-id> is HTTPS Protocol!
tsm authentication sitesaml enable
tsm pending-changes apply

Should I use SAML or Salesforce for SSO?

As mentioned at the top of the article, there’s now a new option for SSO leveraging OpenID Connect protocol which is WAY EASIER to configure, as opposed to SAML:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store