Issues with setting up SSO with Tableau

Lee Foltz foltz2 at oakland.edu
Tue Jun 13 11:56:28 UTC 2023 

We have done this with other SP's for a custom attribute they want.  We
don't like doing custom attributes, but this works for us.

In the attribute-resolver.xml, you want to do something like this.

<AttributeDefinition xsi:type="Simple" id="username" >
        <InputDataConnector ref="myLDAP" attributeNames="uid" />
        <AttributeEncoder xsi:type="SAML2String" name="username" />
</AttributeDefinition>

or if they need OID with a friendly name.

 <AttributeDefinition xsi:type="Simple" id="username" >
        <InputDataConnector ref="myLDAP" attributeNames="uid" />
        <AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:uid" />
        <AttributeEncoder xsi:type="SAML2String"
name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="username" />
 </AttributeDefinition>

Then in attribute-filter.xml release the username to Tableau.  Put the
entityID for Tableau in the value field below.
You can then test with SAML tracer or via shib logs on what is being
released to that SP.

<AttributeFilterPolicy id="Tableau">
           <PolicyRequirementRule xsi:type="Requester" value="
https://tableau.example.com" />
            <AttributeRule attributeID="username">
              <PermitValueRule xsi:type="ANY" />
            </AttributeRule>
</AttributeFilterPolicy>

Hope this helps.

On Tue, Jun 13, 2023 at 6:16 AM Arron Merrill via users <
users at shibboleth.net> wrote:

> Good morning all,
>
> We are having difficulty with setting up a working configuration with
> Tableau (I have seen a similar thread from August 2022). We are releasing
> 'uid', 'mail' and 'displayName'. Tableau is insisting that we need to
> release a new attribute, 'username', containing the uid value.
>
> At first I tried using a transcoding rule specific to Tableau to translate
> the saml2.name of 'uid' to 'username' but Tableau was not accepting this.
>
> From Scott's reply in the earlier thread, mapping a non-mail identifier to
> a custom attribute was the solution. Mapping 'uid' to a custom 'username'
> attribute in the resolver should achieve the desired result?
>
> Kind regards,
> Arron
>
> --
> Arron Merrill - Identity Systems
> IT Services, University of York
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>


-- 
Lee Foltz
Oakland University - UTS
Senior Identity and Access Management Engineer

248-370-2675
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230613/7e4723c8/attachment.htm>

More information about the users mailing list