Configure SAML with PingOne


If you use PingOne as your SAML identity provider (IdP), you can use the information in this topic to set up SAML authentication for Tableau Cloud or Tableau Cloud Manager (TCM).

Notes: 

  • These steps reflect a third-party application and are subject to change without our knowledge. If the steps described here do not match the screens you see in your IdP account, you can use the general SAML configuration steps, along with the IdP’s documentation.
  • Beginning February 2022, multi-factor authentication (MFA) through your SAML SSO identity provider (IdP) is a Tableau requirement.
  • The configuration steps in the IdP may be in a different order than what you see in Tableau.

Step 1: Get started

In Tableau Cloud, do the following:

  1. Sign in to your Tableau Cloud site as a site administrator, and select Settings > Authentication.

  2. On the Authentication tab, click the New Configuration button, select SAML from the Authentication drop-down, and then enter a name for the configuration.

    Screen shot of Tableau Cloud site authentication settings -- new configuration page

    Note: Configurations created before January 2025 (Tableau 2024.3) can't be renamed.

Alternatively, in TCM, do the following:

  1. Sign in to TCM as a cloud administrator, and select Settings > Authentication.

  2. Select the Enable an additional authentication method check box, and select SAML from the Authentication drop-down.

  3. Click the Configuration (required) drop-down arrow.

In PingOne, do the following:

Note: For TCM, you use the "Tableau Cloud application" in the IdP to configure TCM authentication.

  1. Open a new browser tab or window, sign in to your PingOne account, and then click the Applications tab.

  2. In the Application Catalog search for and select Tableau Cloud.

  3. Click Setup button, the Save & Publish button, and then click the Download link next to SAML Metadata, and save the PingOne SAML metadata file to your computer.

Step 2: Configure SAML in Tableau Cloud or TCM

Complete the following procedure after you download the SAML metadata file from PingOne, as described in the section above.

For Tableau Cloud

  1. Back in Tableau Cloud, in the New Configuration page, under 2. Upload metadata to Tableau, click the Choose a file button and navigate to the SAML metadata file you downloaded from your PingOne account.

  2. Continue to Step 3: Map attributes, and complete the remaining steps as described.

  3. Under 4. Choose default for embedded views, you can optionally select how users authenticate to embedded views.

  4. Click the Save and Continue button.

  5. Under 5. Get Tableau Cloud metadata, click the Export Metadata button and save the Tableau metadata file to your computer.

    By default, the file name is saml_sp_metadata.xml.

For TCM

  1. Back in TCM, in the Authentication page, under 2. Upload metadata to Tableau, click the Choose a file button and navigate to the SAML metadata file you downloaded from your PingOne account.

  2. Continue to Step 3: Match assertions, and complete the remaining steps as described.

  3. Click the Save and Continue button.

  4. Under 4. Get Tableau Cloud metadata, click the Export Metadata button and save the Tableau metadata file to your computer.

    By default, the file name is saml_sp_metadata.xml.

Step 3. Configure "Tableau Cloud application" in your IdP

Note: For TCM, you use the "Tableau Cloud application" in the IdP to configure TCM authentication.

  1. Back in your PingOne account, in the Tableau Cloud application, navigate to Setup.

  2. On the 1. SSO Instructions page, click Continue to Next Step.

  3. On the 2. Configure your connection page, for Upload Metadata, click Select File, and upload the Tableau Cloud or TCM metadata file you saved from Tableau Cloud or TCM.

  4. Click Continue to Next Step.

When you import the Tableau Cloud or TCM metadata as part of the PingOneSAML configuration, the certificate embedded in the metadata is not applied to the IdP application definition. This can cause the following error when people sign out of the SAML site:

It looks like the signing certificate has not been configured.

Configure the PingOne certificate

To resolve the sign-out error, you can download the certificate from Tableau Cloud or TCM, convert it from DER encoded to Base-64 encoded, and then upload it to PingOne.

The steps for converting the certificate are specific to Windows.

In Tableau Cloud, do the following:

  1. Back in Tableau Cloud, make sure SAML is selected and you're on the New Configuration page.

  2. Under 5. Get Tableau Cloud metadata, for Method 2: Copy metadata and download certificate, click the Download Certificate button, and save the .cer file to your computer.

Alternatively, in TCM, do the following:

  1. Back in TCM, make sure SAML is selected and you're on the Authentication page.

  2. Under 4. Get Tableau Cloud metadata, for Method 2: Copy metadata and download certificate, click the Download Certificate button, and save the .cer file to your computer.

On your computer, do the following:

  1. Double-click the .cer file you downloaded, and click Open.

  2. In the Certificate dialog box, select the Details tab and click Copy to File.

  3. In the Certificate Export Wizard, do the following:

    1. Click Next on the opening screen, and then select Base-64 encoded X.590 (.CER).

    2. Click Next, and specify the name and location of the file you are exporting.

    3. Click Next, review the summary information, and then click Finish.

In PingOne, do the following:

  1. In your PingOne account, return to the application setup pages for Tableau Cloud or TCM.

  2. In Step 2. Configure your connection, for Verification Certificate, click Choose File, and upload the new .cer file you created.

Step 4: Test the SAML configuration

In PingOne, do the following:

  • Add a sample user to PingOne and assign them to the Tableau Cloud or TCM application.

In Tableau Cloud, do the following:

  1. Add that PingOne user to Tableau Cloud to test the SAML configuration.

  2. Do one of the following:

    • In Tableau Cloud, under 7. Test configuration, click the Test Configuration button.

    • In TCM, on the Authentication page, under 6. Test configuration, click the Test Configuration button.

We highly recommend that you test the SAML configuration to avoid any locked out scenarios. Testing the configuration helps ensure that you have configured SAML correctly before changing the authentication type of your users to SAML. To test the configuration successfully, make sure that there is at least one user who you can sign in as who is already provisioned in the IdP and added to your Tableau Cloud or TCM with SAML authentication type configured.

Step 5: Add additional users to the SAML-enabled Tableau Cloud site or TCM

Use the steps below to add additional users to your site. The procedure described in this section is performed on the Tableau Cloud’s or TCM's Users page.

  1. After you complete the steps above, from the left pane, navigate to the Users page.

  2. Follow the procedure described in:

Back to top