Configure SAML with PingOne

If you use PingOne as your SAML identity provider (IdP), you can use the information in this topic to set up SAML authentication for your Tableau Cloud site.


  • These steps reflect a third-party application and are subject to change without our knowledge. If the steps described here do not match the screens you see in your IdP account, you can use the general SAML configuration steps, along with the IdP’s documentation.
  • Beginning February 2022, multi-factor authentication (MFA) through your SAML SSO identity provider (IdP) is a Tableau Cloud requirement.

Step 1: Get the Tableau Cloud metadata

  1. Sign in to your Tableau Cloud site as a site administrator, and select Settings > Authentication.

  2. On the Authentication tab, select the Enable an additional authentication method tick box and select SAML.

  3. In step 1, Method 1: Export metadata, click the Export Metadata button and save the metadata file to your computer.

Step 2: Configure the PingOne connection

  1. Sign in to your PingOne account, and click the Applications tab.

  2. In the Application Catalog search for Tableau Cloud.

  3. On the Tableau Cloud item, click the arrow to expand the item, and then click Setup.

  4. On the 1. SSO Instructions page, click Continue to Next Step.

  5. On the 2. Configure your connection page, for Upload Metadata, click Select File, and upload the metadata file you saved from Tableau Cloud. Click Continue to Next Step.

  6. On the 3. Attribute Mapping page, use the attributes from your IdP.

    You can ignore the other settings in the table.

    Click Continue to Next Step.

  7. On 4. PingOne App Customisation, consider adding your Tableau Cloud site name in the Name field. This is not required.

    Click Save & Publish.

  8. On 5. Review Setup, after reviewing the information you provided, click the Download link next to SAML Metadata, and save the metadata file to your computer.

Support for single logout

When you import the Tableau Cloud metadata as part of the PingOneSAML configuration, the certificate embedded in the metadata is not applied to the IdP application definition. This can cause the following error when people sign out of the SAML site:

It looks like the signing certificate has not been configured.

Configure the certificate for the IdP

To resolve the sign-out error, you can download the certificate from Tableau Cloud, convert it from DER encoded to Base-64 encoded, and then upload it to PingOne.

These steps for converting the certificate are specific to Windows.

  1. Return to the Settings > Authentication page in your Tableau Cloud site, and make sure SAML is selected.

  2. In step 1, Method 2: Copy metadata and download certificate, click the Download Certificate button, and save the .cer file to your computer.

  3. Double-click the file you downloaded, click Open.

  4. In the Certificate dialog box, select the Details tab and click Copy to File.

  5. In the Certificate Export Wizard, do the following:

    1. Click Next on the opening screen, and then select Base-64 encoded X.590 (.CER).

    2. Click Next, and specify the name and location of the file you are exporting.

    3. Click Next, review the summary information, and then click Finish.

  6. In your PingOne account, return to the application setup pages for Tableau Cloud.

  7. In Step 2. Configure your connection, for Verification Certificate, click Choose File, and upload the new .cer file you created.

Step 3: Complete the Tableau Cloud site configuration

Complete the following steps after you configure your PingOne account and download the SAML metadata file from PingOne, as described in Step 2: Configure the PingOne connection earlier in this topic.

  1. Return to the Settings > Authentication page in your Tableau Cloud site.

  2. For SAML configuration, under 4. Upload metadata to Tableau, click the Choose a file button and navigate to the metadata file you downloaded from your PingOne account.

  3. Continue to Step 5: Match attributes, and complete the remaining steps as described.

  4. Click the Save Changes button.

  5. For 7. Test configuration, click the Test Configuration button.

    We highly recommend that you test the SAML configuration to avoid any locked-out scenarios. Testing the configuration helps ensure that you have configured SAML correctly before changing the authentication type of your users to SAML. To test the configuration successfully, make sure that there is at least one user who you can sign in who is already provisioned in the IdP and added to your Tableau Cloud with SAML authentication type configured.

Step 4: Add users to the SAML-enabled Tableau site

The steps described in this section are performed on the Tableau Cloud’s Users page.

  1. After you complete the steps above, return to your Tableau Cloud site.

  2. From the left pane, navigate to the Users page.

  3. Follow the procedure described in Add Users to a Site topic.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!