SAML on Write-Back Server

Owned by Ricardo Pires
Last updated: May 10, 2024 by Bruno Gomes

Summary

If you are already using SAML authentication in your Tableau Server or Tableau Online, it is possible to configure Write-Back to use it as well.

Preparing for SAML

In order to set up SAML with Write-Back, you will need to configure a trust relationship with your IDP. Write-Back allows configuring one IDP per Write-Back site. In order to make it work there are some assumptions that Write-Back makes and needs to have configured in the IDP, which we will call rrequisites.

If you have multiple sites, that will require a different application in your IDP for each site.

Requisites

SAML with Write-Back requires that the trust relation contains the following properties:

  • NameID to be configured for

    urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  • The IDP must be able to accept binding HTTP-Post for the single sign-on service since this is the only option available to work with Tableau from an extension perspective. You can do this by opening the IDP metadata file and locate the words: (with CTRL+F for instance) 

    SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

    1904px

If both requisites can be assured by you then you can proceed with the configuration in Write-Back Manager.

Configure SAML in Write-Back Manager

Configuring SAML with Write-Back Manager should be pretty straightforward. Start by opening the Manager.

  1. Go to the Authentication;
  2. Select SAML from the "Choose Authentication Method";
  3. Click Save Method;
  4. Notice the notification saying you have added the method successfully and need to finish the configuration on the "Configure Sites" page.

Configure SAML in Write-Back Manager

Now moving to Configure Sites:

  1. Click Configure Sites;
  2. Choose the Authentication tab;
  3. Select SAML from the "Choose Authentication Method" dropdown;
  4. Copy the Entity ID for this site;
    1. You will need to place this in your IDP configuration under entity ID or audience ID.
  5. Copy the ACS for this site;
    1. You will need to place this in your IDP configuration under ACS, Reply URL, or similar.
  6. Upload your IDP metadata;
  7. Save the method for this site;
    1. Verify that a new notification pops up stating you've configured the method properly for the site.


Additional Information

If you change the Write-Back site name you are required to download a new SP file in the Configure Sites step 4. 


Currently, we are not validating the signature of metadata.

Currently, we only support one Identity Provider per site (we are not doing Discovery of IDPs).


Currently, SAML SSO authorization to Tableau Server using Username and Password isn't supported. Personal Access Token (PAT) generated in Tableau can be used for that purpose.


Known limitations

  1. SAML through AD FS is not supported. Instead, we recommend that you use SAML through Azure AD (with Enterprise Applications)