Matthew Orr
Curator Engineer
November 23, 2022
When talking about SAML single sign-on (SSO) and Curator, there are several moving parts that all need to be working in order to have a seamless flow. These moving parts include your SAML identity provider (IdP), Curator and usually one or more of your analytics platforms (Tableau, ThoughtSpot, etc.). When setting up Curator to work with SAML, it can sometimes be tricky to identify which of these moving parts is the cause of an issue and which one needs to be fixed. You can go through the effort to ask each of them, but don’t be surprised if they all act innocent and point fingers and the others to pass the blame.
Typically, setting up Curator is as easy as importing your metadata from your SAML IdP (Okta, OneLogin, Ping, Azure Active Directory, etc.), so this blog post will focus on troubleshooting the information the IdP is sending to Curator during the login flow. Issues are frequently caused by the IdP sending the usernames in a non-standard field, or by the IdP sending the usernames in a format that differs from what Curator expects. Being able to see this communication between your IdP and Curator can highlight those differences. The good news is that you won’t run afoul of wiretapping laws if you follow the guide below.
The first step to being able to view the SAML responses is to install a browser plugin that captures that specific communication between the IdP and Curator. Two of the most popular browser plugins are provided here.
Google Chrome
SAML Chrome Panel plugin. This adds a “SAML” tab to your browser’s developer tools.
https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace
Mozilla Firefox
SAML-tracer plugin. This adds an icon to your toolbar to start it tracking SAML communication.
https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/
If you can’t install a browser plugin, you can use Curator’s SAML debug mode as an alternative. To turn this on, go to Backend >Settings >Security >Authentication Settings >SAML Advanced section. Instead of being able to see the responses immediately in your browser, you’ll need to check Curator’s event log (Backend >Settings >Logs >Event Log).
The SAML response will be in XML format, which might be daunting at first, but you can ignore the bulk of the code and just look for your username somewhere in the middle of all of that.
By default, Curator will look for “username” and “NameID.” If you need to use something else, configure it in your Curator SAML settings in the Custom User Identifier Field setting.
If there’s a username format mismatch, you should be able to send a different format from your IdP to match Curator. Alternatively, you can use Curator’s username mapping functionality to bridge the gap, like a helpful translator when urgently asking for the restroom in a country where you don’t know the language and serves lots of extremely spicy food that is abruptly in a rush to part ways with your GI tract … or some other more pleasant analogy.
To learn more about Curator’s username mapping functionality, check out this link:
https://curator.interworks.com/page/curatornewfeaturespotlightusernamemapping
Recently, Tableau has been encouraging the use of connected apps for external applications, instead of using trusted tickets. All of Tableau’s recent embedding features require connected apps. Since this only deals with behind the scenes authentication, there is no impact to the end user. In our effort to remain closely aligned with Tableau, Curator is transitioning to only using connected apps.
Curator has added the feature to be able to send mark commenting data to a webhook. With the widespread use of API integration platforms, this really opens the doorway to virtually unlimited use cases.
If you’ve got users reporting access issues, your first stop on the road to resolution should be the User Menu Access button. This feature gives you a snapshot view of any given user’s current menu structure, as well as their permissions status for all the content within that menu.