Configure SAML with Microsoft Entra ID

If you’ve configured Microsoft Entra ID (also known as Microsoft Azure Active Directory (Azure AD)) as your SAML identity provider (IdP), use the information in this topic alongside the Microsoft Entra documentation to add Tableau Cloud to your single sign-on applications.

Notes: 

  • These steps reflect a third-party application and are subject to change without our knowledge. If the steps described here do not match the screens you see in your IdP account, you can use the general SAML configuration steps, along with the IdP’s documentation.
  • Beginning February 2022, multi-factor authentication (MFA) through your SAML SSO identity provider (IdP) is a Tableau Cloud requirement.

Prerequisites

Before you can configure Tableau Cloud and SAML with Entra ID, your environment must have the following:

Step 1: Get started

In Tableau Cloud, do the following

  1. Sign in to your Tableau Cloud site as a site administrator, and select Settings > Authentication.

  2. On the Authentication tab, select the Enable an additional authentication method tick box, select SAML and then click the Configuration (required) drop-down arrow.

    Screenshot of Tableau Cloud site authentication settings page

In Entra, do the following:

  1. Sign in to the Microsoft Entra admin centre(Link opens in a new window) as at least a Cloud Application Administrator.

  2. Navigate to Enterprise applications > New application.

  3. On the Browse Microsoft Entra Gallery page, type "Tableau Cloud" in the search box.

  4. Click Tableau Cloud from the search results, and in the right panel, optionally change the default name of the instance and then click Create.
    Notes: 

    • Adding the instance of Tableau Cloud application might take a few moments.

    • When creating an instance of the Tableau Cloud application through the gallery, SAML is the only configuration type supported for integration with Tableau.

  5. In the left pane, navigate to Single sign-on.

  6. On the “Select a single sign-on method” page, select SAML.

  7. On the “Set up Single Sign-On with SAML” page, next to Basic SAML Configuration, click Edit and do the following:

    1. In the Identifier (Entity ID) text box, enter the following placeholder URL that you will edit again in step 3.2 https://sso.online.tableau.com/public/sp/metadata?alias=<entityid>

    2. In the Reply URL text box, enter the following placeholder URL that you will edit again in step 3.2: https://sso.online.tableau.com/public/sp/

    3. In the Sign on URL text box, enter the following URL: https://sso.online.tableau.com

    4. Click Save.

  8. Then, next to SAML Signing Certificate, click Edit.

  9. Click Download to download the Federation Metadata XML.

  10. Finally, next to Attributes & Claims, click Edit to prepare for step 2.2, below.

Step 2: Configure SAML in Tableau Cloud

Complete the following procedure after you save the SAML metadata file from Entra, as described in the section above.

  1. Back in Tableau Cloud, on the New Configuration page, under 2. Upload metadata to Tableau, click the Choose a file button and navigate to the SAML metadata file you saved from Entra. This automatically fills the IdP entity ID and SSO Service URL values.

  2. Under 3. Map attributes copy the corresponding attribute names (assertions) from the Entra’s Attributes & Claims section:

    1. For the Username field, enter mail or userprincipalname, or copy the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name URL.

    2. For the remaining optional fields, copy the URL claim names.

  3. Under 4. Choose default for embedding views (optional), select the experience you want to enable when users access embedded Tableau content.

  4. Click the Save and Continue button.

  5. Go to 5. Get Tableau Cloud metadata to prepare for step 3.1, below.

Step 3: Configure Tableau Cloud application in your IdP

  1. Back in the Entra, on the “Set up Single Sign-On with SAML” page, next to Basic SAML Configuration, click Edit and do the following:

    1. For Identifier (Entity ID), under Tableau Cloud's 5. Get Tableau Cloud metadata in Tableau Cloud, copy the Tableau Cloud entity ID URL.

    2. For Reply URL, under Tableau Cloud's 5. Get Tableau Cloud metadata in Tableau Cloud, copy the Tableau Cloud ACS URL.

    3. Click Save.

Step 4: Test the SAML configuration in Tableau Cloud

In Entra, do the following:

In Tableau Cloud, do the following:

  1. Add that Entra user to Tableau Cloud to test the SAML configuration with. To add users in Tableau Cloud, see the Add Users to a Site topic.

  2. Under 7. Test configuration, click the Test Configuration button.

    We highly recommend that you test the SAML configuration to avoid any locked-out scenarios. Testing the configuration helps ensure that you have configured SAML correctly before changing the authentication type of your users to SAML. To test the configuration successfully, make sure that there is at least one user who you can sign in who is already provisioned in the IdP and added to your Tableau Cloud with SAML authentication type configured.

Additional notes for SAML support with Microsoft Entra ID

  • To avoid enabling SP-initiated single logout (SLO), ensure that the IdP metadata uploaded to Tableau Cloud SAML settings does not contain the SLO endpoint. Alternatively, in the IdP metadata that you upload to Tableau Cloud SAML settings, you can replace the existing “SingleLogoutService” value with "https://sso.online.tableau.com/public/idp/SSO”.

  • If using IdP-initiated SSO for your application, do not provide a “Sign-On URL” value in the Tableau Cloud application from the gallery in Entra. Providing a value for this field will bypass IdP-initiated SSO.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!