User accounts between servers and other user questions

Trying to set up SSO using SAML between our app and our tableau server. I believe I read that the user names and passwords have to match between our app, the tableau server and the uses on auth0. Does this mean we need to know all our users’ passwords so we can create matching account on auth0? That doesn’t seem right. Also, we do not use email addresses for our user names. When I set up a user on auth0 it has fields for both email and username. Will username be used for SSO validation? That does not appear to be case sensitive - I added a user with name Demo and it displays in the dashboard as demo. Can this be made case sensitive? Also, I do not want to put my user’s email addresses into auth0 as then they will get a confirmation email and I want the SSO to be behind the scenes to them.

I am very new to SSO, so if someone can educate me on this I would greatly appreciate it.

In SSO between two application imply that the user identity is validated and maintained by an additional system generally referred to identity provider (IdP). This would allow for the following flow:

  1. User X accesses App K which asks the IdP to validate the identity of the user.
  2. The IdP validates the identity of the user, for example, by requesting a username and password.
  3. The IdP returns an assertion/token to App K proving the identity of the user.
  4. User X accesses App L which asks the IdP to validate the identity of the user.
  5. The IdP already has an active session for this user so it immediately returns an assertion/token to App L proving the identity of the user.

The above means the user accesses two applications while only having to actively authenticate one time.

In your specific scenario App K is your own application, App L is Tableau server and the IdP will be your Auth0 account. The implementation will then be constrained by what the client application expect:

  • Tableau server expects that the IdP sends a SAML assertion containing an attribute that uniquely identifies the user and also matches a user already configured at Tableau itself.
  • Your application will also expect certain requirements, but you did not mention them.

In order to achieve the above, one possibility would be the following:

  • create a database connection in Auth0 to represent the end-users; you could consider configuring it as a custom database if you already have user credentials at your own store and you’re not interested in forcing users to reset their passwords.
  • configure a client application to represent Tableau; this would use the SAML addon so that Auth0 would know that it should send a SAML assertion to Tableau. You would have to configure the addon in accordance with Tableau requirements, so you would need to check their docs.
  • configure a client application to represent your own application; you would have to implement authentication for your client application also through Auth0 (in order to get SSO), but your could a different authentication protocol like OpenID Connect instead of SAML.

In relation to your questions, you can completely disable welcome and verification emails from being sent from your Auth0 account so this would allow you to provide emails for your users without having to worry about emails being sent. If you used a custom database the same set of users already available in your store would be the ones allowed to login. If you used a normal database connection you would need to create the users in Auth0 so that the process is transparent to the end-users, but you could this in one go through the Management API.

The biggest challenges would be that usernames are not case sensitive and to my knowledge this is not configurable. In addition, the email is required so if you don’t have users email in your store this would also require some consideration.

Thanks for the detailed and informative reply.