SAML user override via groups

  • We are making an integration to Tableau Server thru Okta using SAML.
  • We have a lot of Okta users that will use a single Tableau user/profile (the “public” user).

To achieve this, we are joining each person (with uses the public user) individually to the Application “Tableau Server” with an username override to “public”. This works, but it’s not ideal, since each person must be added individually and the username has to be set for each of them.

We’ve created a Tableau Public group, and attempted to add the group to the Application, this worked ok, BUT we are not able to override the entire group’s username, the application tells us to edit each person individually, so we still need to do this manually one by one.

We’d like to be able to have a checkbox on the group so that the group settings can override the person settings. Thus, the Public group can be added to the Application, force a username override, and all the users on that group will have their username changed to “public” since the group says so.

I’m not sure how to handle when someone is on the same Application via 2 separate groups (ie. Public group + Admin group), it might cause trouble since both will attempt to modify the username, but I guess that a single warning on the override page might suffice, or a priority number (ie. the lowest/highest priority wins)

Have you looked into creating a SWA App where you as the admin sets the username and password.
You could have your public user pertain to that specific instance and assign it to a group.
Or you could have a combination of one App within the portal being a SWA App for the pertaining Tableau Public User and a Separate in which coincides with your referenced Admin group/users.

Here’s an overview: https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Overview_of_Managing_Apps_and_SSO.htm

I use SWA for apps that don’t provide SAML; it basically fills the username/password thru the browser; and that causes the “remember password” popups to be shown. I’d prefer the employees to have no password at all and have them login via SAML

I just need to change the username on the public group, Tableau charges you by user, and we don’t want to pay for each read-only user, we do have some administrator and writer accounts separate from this “public” user.

I see what you mean, I was saying a workaround would be to manually set the username and password of the SWA app for your Tableau Public User requirement. Then assigning the SWA app to your specified users in okta via group membership. It shouldn’t ask the user for any login info or “remember password” popups. This would utilize a single user rather than the multiple you mentioned.

Jordan, thanks for trying to help, but I’ve made a feature request because I want Okta to change and work in a certain way. I’m sure there are other way to workaround this, but it’s not what I want.

Just to try, I’ve attempted to create an SWA, it does work, but it’s not what I’m asking for.
It fills the username and password on the webpage so you could…

  1. Change your local DNS to send the login page to a mock server hosted on your PC and have the password be shown to you once the form submits.

  2. Modify the original HTML on the webpage via the browser’s inspect feature or a plugin (ie TamperMonkey) so that the password input has a type=“text” and make it viewable once it’s filled.

  3. The same as #2 but using jQuery / javascript on the console, create a function that listens to the login form, and have it show the content on the password filled once the form is submitted

Then, if they quit we’ll be forced to change the password since we can not be certain that they don’t have access to it anymore.

The only secure password is the one that doesn’t exist, when I remove the user from Okta, SAML won’t work anymore for him.

Of course, Okta could choose not to implement this feature if it’s not something they want to do or not as many users want this.

1 Like