If you use PingOne as your SAML identity provider (IdP), you can use the information in this topic to set up SAML authentication for your Tableau Cloud site.

Note: These steps reflect a third-party application and are subject to change without our knowledge. If the steps described here do not match the screens you see in your IdP account, you can use the general SAML configuration steps, along with the IdP’s documentation.

Get the Tableau Cloud metadata

  1. Sign in to your Tableau Cloud site as a site administrator, and select Settings > Authentication.

  2. On the Authentication tab, select Enable an additional authentication method > SAML.

  3. In Step 1, click Export metadata and save the metadata file to your computer.

Configure the PingOne connection

  1. Sign in to your PingOne account, and click the Applications tab.

  2. In the Application Catalog search for Tableau Cloud.

  3. On the Tableau Cloud item, click the arrow to expand the item, and then click Setup.

  4. On the 1. SSO Instructions page, click Continue to Next Step.

  5. On the 2. Configure your connection page, for Upload Metadata, click Select File, and upload the metadata file you saved from Tableau Cloud. Click Continue to Next Step.

  6. In the table on the 3. Attribute Mapping page, map attributes as follows:

    Application Attribute Identity Bridge Attribute
    email Email
    firstName First Name
    lastName Last Name

    You can ignore the other settings in the table.

    Click Continue to Next Step.

  7. On 4. PingOne App Customization, consider adding your Tableau Cloud site name in the Name field. This is not required.

    Click Save & Publish.

  8. On 5. Review Setup, after reviewing the information you provided, click the Download link next to SAML Metadata, and save the metadata file to your computer.

Support for single logout

When you import the Tableau Cloud metadata as part of the PingOne SAML configuration, the certificate embedded in the metadata is not applied to the IdP application definition. This can cause the following error when people sign out of the SAML site:

It looks like the signing certificate has not been configured.

Configure the certificate for the IdP

To resolve the sign-out error, you can download the certificate from Tableau Cloud, convert it from DER encoded to Base-64 encoded, and then upload it to PingOne.

These steps for converting the certificate are specific to Windows.

  1. Return to the Settings > Authentication page in your Tableau Cloud site, and make sure the Single sign-on with SAML box is checked.

  2. In Step 1, Export metadata file, click Download signing and encryption certificate and save the .cer file to your computer.

  3. Double-click the file you downloaded, click Open.

  4. In the Certificate dialog box, select the Details tab and click Copy to File.

  5. In the Certificate Export Wizard, do the following:

    1. Click Next on the opening screen, and then select Base-64 encoded X.590 (.CER).

    2. Click Next, and specify the name and location of the file you are exporting.

    3. Click Next, review the summary information, and then click Finish.

  6. In your PingOne account, return to the application setup pages for Tableau Cloud.

  7. In Step 2. Configure your connection, for Verification Certificate, click Choose File, and upload the new .cer file you created.

Complete the Tableau Cloud site configuration

Complete the following steps after you configure your PingOne account and download the SAML metadata file from PingOne, as described in Configure the PingOne connection earlier in this topic.

  1. Return to the Settings > Authentication page in your Tableau Cloud site.

  2. For SAML configuration step 4, for IdP metadata file, click Browse and import the metadata file you downloaded from your PingOne account.

  3. Continue to Step 5: Match attributes , and complete the remaining steps as described.

Thanks for your feedback!