Enable SAML Authentication on a Site

This topic explains how to enable SAML on the site and select single sign-on users. It also provides steps for switching from SAML to the default Tableau (also known as TableauID) authentication. Before you enable SAML, we recommend that you review the SAML Requirements for Tableau Cloud, including Effects of changing authentication type on Tableau Bridge.

This topic assumes you are familiar with the information in Authentication and How SAML Authentication Works.

IdP-specific configuration information

The steps in the sections later in this topic provide basic steps that you can use with your IdP’s documentation to configure SAML for your Tableau Cloud site. You can get IdP-specific configuration steps for the following IdPs:

Enable SAML

  1. Sign in to your Tableau Cloud site as a site administrator, and select Settings > Authentication.

  2. On the Authentication tab, select the Enable an additional authentication method check box, select SAML, and then click Configuration (required) drop-down arrow.

    Screen shot of Tableau Cloud site authentication settings page

SAML configuration steps

This section takes you through the configuration steps that appear on the Authentication tab in the Tableau Cloud Settings page.

Note: To complete this process, you will also need the documentation your IdP provides. Look for topics that refer to configuring or defining a service provider for a SAML connection, or adding an application.

Step 1: Export metadata from Tableau

To create the SAML connection between Tableau Cloud and your IdP, you need to exchange required metadata between the two services. To get metadata from Tableau Cloud, choose one of the following methods. See the IdP’s SAML configuration documentation to confirm the correct option.

  • Select Export Metadata button to download an XML file that contains the Tableau Cloud SAML entity ID, Assertion Consumer Service (ACS) URL, and X.509 certificate.

  • Select Download Certificate if your IdP expects the required information in a different way. For example, if it wants you to enter the Tableau Cloud entity ID, ACS URL, and X.509 certificate in separate locations.

    The following image has been edited to show that these settings are the same in Tableau Cloud and Tableau Server.

Step 2 and Step 3: External steps

For step 2, to import the metadata you exported in step 1, sign in to your IdP account, and use the instructions provided by the IdP’s documentation to submit the Tableau Cloud metadata.

For step 3, the IdP’s documentation will guide you also in how to provide metadata to a service provider. It will instruct you to download a metadata file, or it will display XML code. If it displays XML code, copy and paste the code into a new text file, and save the file with a .xml extension.

Step 4: Import IdP metadata to the Tableau site

On the Authentication page in Tableau Cloud, import the metadata file that you downloaded from the IdP or configured manually from XML it provided.

Note: If editing the configuration, you will need to upload the metadata file so Tableau knows to use the correct IdP entity ID and SSO service URL.

Step 5: Match attributes

Attributes contain authentication, authorization, and other information about a user.

Note: Tableau Cloud requires the NameID attribute in the SAML response. You can provide other attributes to map user names in Tableau Cloud, but the response message must include the NameID attribute.

  • Username: (Required) Enter the name of the attribute that stores users’ usernames (email addresses).

  • Display name: (Optional but recommended) Some IdPs use separate attributes for first and last names, and others store the full name in one attribute.

    Select the button that corresponds to the way your IdP stores the names. For example, if the IdP combines first and last name in one attribute, select Display name, and then enter the attribute name.

    Screen shot of step 5 for configuring site SAML for Tableau Cloud -- matching attributes

Step 6: Embedding options

Select the method by which users sign in to embedded views. The options are to open a separate pop-up window that displays the IdP’s sign-in form, or to use an inline frame (iframe).

Caution: Because iframes can be vulnerable to clickjacking attacks, not all IdPs support signing in through an iframe. With clickjacking, the attacker tries to lure users into clicking or entering content. They do this by displaying the page to attack in a transparent layer over an unrelated page. For Tableau Cloud, an attacker might try to capture user credentials or to get an authenticated user to change settings. For more information, see Clickjacking(Link opens in a new window) on the Open Web Application Security Project website.

If your IdP doesn’t support signing in through an iframe, select Authenticate in a separate pop-up window.

See also Default authentication type for embedded views.

Step 7: Test the configuration and troubleshoot

We highly recommend that you test the SAML configuration to avoid any locked out scenarios. Testing the configuration helps ensure that you have configured SAML correctly before changing the authentication type of your users to SAML. To test the configuration successfully, make sure that there is at least one user who you can sign in as who is already provisioned in the IdP and added to your Tableau Cloud with SAML authentication type configured.

If you can't successfully sign in to Tableau Cloud, start with the troubleshooting steps suggested on the Authentication page. If those steps do not resolve the issue, see Troubleshoot SAML.

Manage users

Select existing Tableau Cloud users, or add new users you want to approve for single sign-on.

When you add or import users, you also specify their authentication type. On the Users page, you can change users’ authentication type any time after adding them.

For more information, see Add Users to a Site or Import Users.

Default authentication type for embedded views

Part of enabling SAML on your site is to specify how users access views embedded in web pages.

  • Let users to choose their authentication type

    When you select this, two sign-in options appear where a view is embedded: a sign-in button that uses single sign-on authentication and a link to use TableauID as an alternative.

    Tip: With this option, users need to know which alternative to choose. As part of notification you send your users after you add them to the single sign-on site, let them know which type of authentication to use for a variety of sign-in scenarios. For example, embedded views, Tableau Desktop, Tableau Bridge, Tableau Mobile, and so on.

  • Tableau with MFA

    This option requires users to sign in using Tableau credentials with multi-factor authentication even if SAML is enabled on the site. Signing in with Tableau with MFA requires users to set a verification method to confirm the identity each time the user signs in to Tableau Cloud. For more information, see Multi-Factor Authentication and Tableau Cloud.

  • SAML

    With this option, the way SAML users can sign in to embedded views is determined by the setting you select in step 6 above.

Use Tableau authentication

If a site is configured for SAML, you can change the site settings to require some or all users to sign in using Tableau credentials.

  • If you no longer want an identity provider to handle authentication for a site, or require all users to sign in with their Tableau credentials, you can change authentication type at the site level.

  • If you want to keep SAML enabled for some users, but require others to use Tableau, you can change authentication type at the user level.

    For more information, see Set the User Authentication Type.

Change the site’s authentication type

  1. Sign in to Tableau Cloud as a site administrator and select the site.

  2. Select Settings > Authentication.

  3. Remove the Enable an additional authentication method check box.

After you make the SAML configuration inactive, the metadata and IdP information are preserved, so that if you want to enable it again, you do not need to set up the SAML connection with the IdP again.

Update SAML certificate

The certificate used for Tableau site metadata is provided by Tableau and not configurable. To update the certificate for SAML, you must upload a new certificate to your IdP and re-exchange the metadata with Tableau Cloud.

  1. Sign in to the site as a site administrator, and select Settings > Authentication.

  2. Under Authentication types, click the Configuration (required) drop-down arrow.

  3. Open a new tab or window, and sign in to your IdP account.

  4. Use the instructions provided by the IdP’s documentation to upload a new SAML certificate.

  5. Download the new XML metadata file to provide to Tableau Cloud.

  6. Return to the Authentication page in Tableau Cloud, and in step 4, upload the metadata file that you downloaded from the IdP.

  7. Click the Save Changes button.

See also

Access Sites from Connected Clients

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!