Tableau SAML + SSL certificates

I’m trying to setup Tableau logins via SAML

I’ve did everything I would normally do on AWS (create the application, upload the IdP metadata, setup a unique Entity ID using the URL), but Tableau asked me for a certificate and a key which is new.

Since the Okta application doesn’t provide me with these details, I’ve searched for a while and found that you can create keys and certificates for applications using the API: https://developer.okta.com/docs/reference/api/apps/#generate-new-application-key-credential

The API process went quite smooth, we generated a CSR, we “self-signed” it with a made up CA, uploaded the PEM back to Okta, so far so good… but the JWK provided by you only show me a public key, and Tableau expects a private key instead.

I’ve thought of making my own PEM and KEY files, but I haven’t found any endpoint to upload a KEY file to you, I can only generate new ones.

I’m not sure if I followed the correct procedure, or if something is missing on the guides I’ve followed

PS: It’s Tableau Server, on-premise on our own servers

Hi @emiliano.perez

Can you please check in your Okta administrative dashboard under Applications >> Tableau SAML application >> Sign On tab >> View Setup Instructions the SAML configuration details to see if this are the ones required by Tableau?

I’d recommend avoiding the RTFM routine entirely (not just here)… despite that, yes, I’ve read the manual. Have you? It doesn’t say where to get these certificates, it only says the following:

SAML certificate and key files— Click Select File to upload each of these files.

Source:

Here’s the guide that I’ve followed to get the certificate and key pair, but again, it only provides with public keys instead of private ones: https://developer.okta.com/docs/guides/sign-your-own-saml-csr/overview/

PS: We have Tableau Server 2019.3 at the moment

I’ve tried with a self-signed certificate + private key and it failed, but this time with a different error message apparently not related to the certificate itself:

com.tableau.messagebus.clients.tableauserver.FailsafeSubscriber - Retrying Subscription. Error for: topic=vizportal-commenting-mentions | scalingGroup=CommentingMentionNotifier | tryCount=9 | errorCause:
java.lang.NullPointerException

I think I will switch to SWA for now, but I’d really like to setup SAML to have users without a password and have the access centralized.

Please contact Tableau so they update their guide, or provide a more specific one for Okta in particular.