SAML (Security Assertion Markup Language) is an XML standard that allows secure web domains to exchange user authentication and authorization data. You can configure Tableau Cloud to use an external identity provider (IdP) to authenticate users over SAML 2.0. No user credentials are stored with Tableau Cloud, and using SAML enables you to add Tableau to your organization’s single sign-on environment.
User authentication through SAML does not apply to permissions and authorization for Tableau Cloud content, such as data sources and workbooks. It also does not control access to underlying data that workbooks and data sources connect to.
Note: Tableau Cloud supports both service provider initiated and IdP initiated SAML in browsers and in the Tableau Mobile app. SAML connections from Tableau Desktop must be service provider initiated.
The following image shows the steps to authenticate a user with single sign-on in a typical service provider initiated flow:
User navigates to the Tableau Cloud sign-in page or clicks a published workbook URL.
Tableau Cloud starts the authentication process by redirecting the client to the configured IdP.
The IdP requests the user’s username and password from the user. After the user submits valid credentials, the IdP authenticates the user.
The IdP returns the successful authentication in the form of a SAML Response to the client. The client passes the SAML Response to Tableau Cloud.
Tableau Cloud verifies that the username in the SAML Response matches a licensed user stored in the
Tableau Cloud repository. If a match is verified, then Tableau Cloud responds to the client with the requested content.