KNOWLEDGE BASE

Configure a Single Logout Using SAML with Okta


Published: 07 Oct 2022
Last Modified Date: 12 Oct 2022

Question

How to configure a single logout on Tableau using SAML with Okta.

Environment

  • Tableau Server
  • Tableau Cloud
  • SAML(Okta)

Answer

For Tableau Server Server-Wide SAML:
1. In Okta, select the Sign On tab for the Tableau Server app, then click Edit.
2. Check Enable Single Logout.
3. Click Browse to select your Tableau Server Certificate for Server-Wide SAML, and upload it to Okta.
4. Click Save.
User-added image

5. Download your IdP(Okta) metadata xml and open it in any text editor to confirm the SingleLogoutService element has beed added to the metadata.
Example:
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://xxxxxxx.okta.com/app/tableau/exxxxxxxx/slo/saml"/>
6. Upload the IdP(Okta) metadata xml you downloaded on Step 5 to your Tableau Server again, via 
TSM Web UI > User Identity & Access > Authentication Method > SAML > Step 4 > Select File
User-added image
7. Restart your Tableau Server via the TSM Web UI or run the tsm command:
tsm pending-changes apply


For Tableau Server Site-SAML / Tableau Cloud:
1. Download your Tableau Server Site-SAML / Tableau Cloud certificate and metadata xml from your site.
User-added image
2. In Okta, select the Sign On tab for the Tableau Cloud SAML app, then click Edit.
Note: You need to configure Tableau Server Site-SAML using the Tableau Cloud template in Okta.
3. Check Enable Single Logout.
4. Click Browse to select your Tableau Server Site-SAML / Tableau Cloud certificate you download at Step 1, and Upload it to Okta.

User-added image
5. Open the your Tableau Server Site-SAML / Tableau Cloud metadata xml you download at Step 1 in any text editor and copy your SingleLogoutService element Location value.
Example:
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://xxxxxxx/public/sp/SLO?alias=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"/>
6. Paste your SingleLogoutService element you copied at Step 5 to the Single Logout URL.
User-added image
7. Download your IdP(Okta) metadata xml, open it in any text editor to confirm the SingleLogoutService element has beed added to the metadata.
Example:
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://xxxxxxx.okta.com/app/tableau/exxxxxxxx/slo/saml"/>
8. Import the IdP(Okta) metadata xml you download at Step 7 to your site again and click Apply.
User-added image

Additional Information

If the desire is to use the "Sign Out" button on Tableau Server / Tableau Cloud below but do not want to enable a Single Logout function, uncheck Enable Single Logout in the Okta side and Save the setting again once the configuration done.

User-added image
Did this article resolve the issue?