Tableau Server SAML Authentication with KeyCloak

7 min readAug 26, 2020

Sorry, not a super sexy topic but for sure something we need to make Tableau authentication works against KeyCloak identity provider. Nothing complex but few tips can probably save you some headaches.

For simplicity, if you don’t have yet a KeyCloak server and still want to test, here’s the faster way with Docker image, easy peasy.

Install KeyCloak Docker image

docker pull jboss/keycloak
docker run -d — name keycloak \
-p 10001:8080 \
-v ~/shareplace/keycloakshare:/keycloakshare \
-e KEYCLOAK_USER=admin \
-e KEYCLOAK_PASSWORD=password \
jboss/keycloak

-p 10001 will be the visible external port, to access the KeyCloak console you’ll use: http://<ip>:10001
~/shareplace/keycloakshare is a shared folder between your docker image and your host
KEYCLOAK_PASSWORD=password change “password” to your favorite secured password, this will be the new password to access the console with user=admin (KEYCLOAK_USER=admin)

Access the KeyCloak console

Go to HTTP://<kc_IP>:10001

WARNING: Do not use “localhost” even if you are local, use the external visible IP of FQDN as it will be used when exporting SAMLMetaData!!!!

Click on “Administration Console”

Enter “admin” and the password defined when launching the docker image

Create a New Realm

Do not touch the Master Realm, let’s create a new one. Click “Add realm” from the Master menu:

Enter a Name:

Click the “Create” button:

Create a New User

To create a new user, click “Users” and click the “Add user” button:

WARNING: The “Username” below must be an existing tableau user (no matter if local or AD)

WARNING: The “Email’ is mandatory in Tableau so ensure you’re putting a valid email!! By “valid email” I mean it has to be syntactically correct, the address doesn’t have to exist for real.

Enter a Username, Email, First and Last Name, click the “Save” button. Now click on the “Credentials” tab and enter a Password:

Uncheck “Temporary” and click the “Set Password” button.

After you have created a new user, let’s test if it works, navigate to:

HTTP://<myserverIP>:10001/auth/realms/tableau/account (<tableau> is the realm name, change accordingly if you have used another name, IT IS CASE-SENSITIVE)

After you have logged in you will be forwarded to the User Account Service page, all good then!

WARNING: If you try to save information here you’ll face an error, it doesn’t matter for our example flow, no worries

Start SAML setup in TSM

First, let’s check/create/import in Tableau Server the same user we have defined in KeyCloak, remember user name was “bob”:

Better to have this user as admin so you can add extra users without the need to logout/login.

Second, you’ll need certificate and key for full encryption.

On the Tableau server, install openssl (google it for linux or windows)

Then in Terminal or CMD use the following to generate .crt and .key file:

openssl genrsa -des3 -passout pass:password -out server.pass.key 2048
openssl rsa -passin pass:password -in server.pass.key -out server.key
openssl req -new -key server.key -out server.csr

HERE ENTER INFO (let the defaults by pressing enter, except the last one asking for name or FQDN, you can put whatever you want, it’s not needed for our use case)

openssl x509 -req -sha256 -days 3650 -in server.csr -signkey server.key -out server.crt

Now you have “server.crt” and “server.key” on your server (note the path for later)

Go to TSM web site, Configuration/User Identity & Access:

Navigate to HTTP://<tableauserver>:8850

- Enter the tableau return url: just the tableau URL (do not forget port if not 80/443)

WARNING: Check there’s no “/” at the end, this will cause the redirection to fail!!!

Enter SAML entity ID, (here tonytab but feel free to change, with no space…) we’ll use the same name in KeyCloak client config later
Select the file for SAML certificate file (server.crt previously generated)
Select the file for SAML key file (server.key previously generated)

WARNING: Tableau doesn’t validate the certificate format at that step

WARNING: Do not check “Enable SAML for the server” yet

Download the XML Metadata File by clicking on the button at the bottom:

WARNING: Check the content of the xml, it must include the certificate/key information, otherwise it means your certificate/key are not correct

WARNING: Any future changes (if you did a mistake) in Step 1 values will require to re-download Metadata file, and redo everything below (after a proper deletion of the previously created KeyCloak “Client”)

Creating a New Service Provider in KeyCloak (“Client” in KeyCloak dialect)

Navigate back to the KeyCloak console :

HTTP://<keycloak-server>:10001/auth/admin/master/console/)

To create a new client in the Tableau realm click “Clients” in the menu and then click the ‘Create’ button:

Enter a Client ID (here “tonytab”), select “saml” for the “Client Protocol”, click on “select file” button and browse the metadata file downloaded previously in TSM and then finally click the “Save” button

Leave the “Settings” as they are.

Select “Mappers” tab

Mappers are mandatory to shape the SAML message from KeyCloak to Tableau server. Tableau Server expects the following information:

User Name: the user ID to map KeyCloak user with Tableau user name
Email: the email of the user
Display Name: a label to show the user name in the Tableau UI
Click “Create” button on the right:

Enter the following:

WARNING: Everything is case-sensitive!

Click “Save”

Create a new one and enter the following:

WARNING: Everything is case-sensitive!

Click “Save”

Create a new one and enter the following (NOTE “lastName” with capital N in the property field!!!):

Click “Save”

Go back to the Tableau “Realm Settings”:

Click on “SAML 2.0 Identity Provider Metadata” at the bottom

Save the file on your disk (let’s say desc.xml), we’ll use it in the next step

Go back to TSM configuration:

Now you can check “Enable SAML authentication for the server”:

Click on “Select File” in Step 4 and choose the exported file in the previous step (desc.xml):

Enter the exact above information in “Step 5” (IT IS CASE-SENSITIVE!!)

Remember Username, Display name and Email are the “Mappings” we have defined in the KeyCloak mappings. These are the fields from KeyCloak we’ll map in Tableau for identifying the user. The real ID is “username”, others (email and display) are mandatory (for valuable purposes like alerting for “email”, showing name in the portal for “display name”) but not used for performing the user mapping.

Commit the pending changes in TSM.

When server is up and running again, navigate to tableau regular URL, you’ll be redirected to the KeyCloak login form, login with the user /pass created at the beginning, REMEMBER this user must already exist in Tableau Server!

If it doesn’t work as expected, you can always go back to TSM (HTTP://<tableauserver>:8850) and uncheck the box “Enable SAML…” to get back to regular authentication scheme: