Configure SAML with Microsoft Entra ID

If you’ve configured Microsoft Entra ID (also known as Microsoft Azure Active Directory (Azure AD)) as your SAML identity provider (IdP), use the information in this topic alongside the Microsoft Entra documentation to add Tableau Cloud to your single sign-on applications.

Notes: 

  • These steps reflect a third-party application and are subject to change without our knowledge. If the steps described here do not match the screens you see in your IdP account, you can use the general SAML configuration steps, along with the IdP’s documentation.
  • Beginning February 2022, multi-factor authentication (MFA) through your SAML SSO identity provider (IdP) is a Tableau Cloud requirement.

Step 1: Open the Tableau Online SAML settings

To use Microsoft Entra ID with Tableau Cloud, you configure a custom application in the Entra management portal. For this task you’ll need to use information from the Tableau Cloud SAML settings.

  1. Sign in to your Tableau Cloud site as a site administrator, and select Settings > Authentication.

  2. On the Authentication tab, select the Enable an additional authentication method tick box, select SAML and then click the Configuration (required) drop-down arrow.

    Screenshot of Tableau Cloud site authentication settings page

Step 2: Add Tableau Cloud to your Microsoft Entra ID applications

Taking information from the Tableau Cloud SAML settings page, review and complete the steps in the following Microsoft Entra articles:

Additional notes for SAML support with Microsoft Entra ID

  • To avoid enabling SP-initiated single logout (SLO), ensure that the IdP metadata uploaded to Tableau Cloud SAML settings does not contain the SLO endpoint. Alternatively, in the IdP metadata that you upload to Tableau Cloud SAML settings, you can replace the existing “SingleLogoutService” value with "https://sso.online.tableau.com/public/idp/SSO”.

  • If using IdP-initiated SSO for your application, the Tableau Cloud app from the gallery application in the Entra portal currently requires a “Sign On URL” value. This value bypasses IdP-initiated SSO. To avoid bypassing IdP-initiated SSO, you can use the following format for the “Sign On URL” value:

    https://sso.online.tableau.com/public/sp/login?alias=<alias key>

    For more information, see the Prompted to Enter Credentials When Accessing Tableau Cloud Configured with SAML(Link opens in a new window) knowledge article.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!