Configure SAML with PingOne


If you use PingOne as your SAML identity provider (IdP), you can use the information in this topic to set up SAML authentication for your Tableau Cloud site.

Notes: 

  • These steps reflect a third-party application and are subject to change without our knowledge. If the steps described here do not match the screens you see in your IdP account, you can use the general SAML configuration steps, along with the IdP’s documentation.
  • Beginning February 2022, multi-factor authentication (MFA) through your SAML SSO identity provider (IdP) is a Tableau Cloud requirement.
  • The configuration steps in the IdP may be in a different order than what you see in Tableau Cloud.

Step 1: Get started

In Tableau Cloud, do the following:

  1. Sign in to your Tableau Cloud site as a site administrator, and select Settings > Authentication.

  2. On the Authentication tab, click the New Configuration button, select SAML from the Authentication drop-down, and then enter a name for the configuration.

    Screen shot of Tableau Cloud site authentication settings -- new configuration page

    Note: Configurations created before November 2024 (Tableau 2024.3) can't be renamed.

In PingOne, do the following:

  1. Open a new browser tab or window, sign in to your PingOne account, and then click the Applications tab.

  2. In the Application Catalog search for and select Tableau Cloud.

  3. Click Setup button, the Save & Publish button, and then click the Download link next to SAML Metadata, and save the PingOne SAML metadata file to your computer.

Step 2: Configure SAML in Tableau Cloud

Complete the following procedure after you download the SAML metadata file from PingOne, as described in the section above.

  1. Back in Tableau Cloud, in the New Configuration page, under 2. Upload metadata to Tableau, click the Choose a file button and navigate to the SAML metadata file you downloaded from your PingOne account.

  2. Continue to Step 3: Map attributes , and complete the remaining steps as described.

  3. Under 4. Choose default for embedded views, you can optionally select how users authenticate to embedded views.

  4. Click the Save and Continue button.

  5. Under 5. Get Tableau Cloud metadata, click the Export Metadata button and save the Tableau metadata file to your computer.

    By default, the file name is saml_sp_metadata.xml.

Step 3. Configure Tableau Cloud application in your IdP

  1. Back in your PingOne account, in the Tableau Cloud application, navigate to Setup.

  2. On the 1. SSO Instructions page, click Continue to Next Step.

  3. On the 2. Configure your connection page, for Upload Metadata, click Select File, and upload the Tableau Cloud metadata file you saved from Tableau Cloud.

  4. Click Continue to Next Step.

When you import the Tableau Cloud metadata as part of the PingOneSAML configuration, the certificate embedded in the metadata is not applied to the IdP application definition. This can cause the following error when people sign out of the SAML site:

It looks like the signing certificate has not been configured.

Configure the PingOne certificate

To resolve the sign-out error, you can download the certificate from Tableau Cloud, convert it from DER encoded to Base-64 encoded, and then upload it to PingOne.

The steps for converting the certificate are specific to Windows.

In Tableau Cloud, do the following:

  1. Back in Tableau Cloud, make sure SAML is selected and you're on the New Configuration page.

  2. Under 5. Get Tableau Cloud metadata, for Method 2: Copy metadata and download certificate, click the Download Certificate button, and save the .cer file to your computer.

On your computer, do the following:

  1. Double-click the .cer file you downloaded, and click Open.

  2. In the Certificate dialog box, select the Details tab and click Copy to File.

  3. In the Certificate Export Wizard, do the following:

    1. Click Next on the opening screen, and then select Base-64 encoded X.590 (.CER).

    2. Click Next, and specify the name and location of the file you are exporting.

    3. Click Next, review the summary information, and then click Finish.

In PingOne, do the following:

  1. In your PingOne account, return to the application setup pages for Tableau Cloud.

  2. In Step 2. Configure your connection, for Verification Certificate, click Choose File, and upload the new .cer file you created.

Step 4: Test the SAML configuration in Tableau Cloud

In PingOne, do the following:

  • Add a sample user to PingOne and assign them to the Tableau Cloud application.

In Tableau Cloud, do the following:

  1. Add that PingOne user to Tableau Cloud to test the SAML configuration. To add users in Tableau Cloud, see the Add Users to a Site topic.

  2. Under 7. Test configuration, click the Test Configuration button.

    We highly recommend that you test the SAML configuration to avoid any locked out scenarios. Testing the configuration helps ensure that you have configured SAML correctly before changing the authentication type of your users to SAML. To test the configuration successfully, make sure that there is at least one user who you can sign in as who is already provisioned in the IdP and added to your Tableau Cloud with SAML authentication type configured.

Step 5: Add additional users to the SAML-enabled Tableau Cloud site

Use the steps below to add additional users to your site. The procedure described in this section is performed on the Tableau Cloud’s Users page.

  1. After you complete the steps above, from the left pane, navigate to the Users page.

  2. Follow the procedure described in Add Users to a Site topic.

Back to top
Thanks for your feedback!Your feedback has been successfully submitted. Thank you!