Tableau Cloud Help

Go to your IdP, sign in to your IdP account, and use the instructions provided by the IdP’s documentation to download your IdP's metadata. The IdP's metadata enables Tableau Cloud to connect to your IdP.

For step 1, the IdP’s documentation will guide you also in how to provide metadata to a service provider. It will instruct you to download a SAML metadata file, or it will display XML code. If it displays XML code, copy and paste the code into a new text file, and save the file with a .xml extension.

In the New Configuration page in Tableau Cloud, import the metadata (.xml) file that you downloaded from the IdP or configured manually from the XML it provided.

Attributes contain authentication, authorization, and other information about a user.

Note: Tableau Cloud requires the NameID attribute in the SAML response. You can provide other attributes to map user names in Tableau Cloud, but the response message must include the NameID attribute.

• Username: (Required) Enter the name of the attribute that stores users’ usernames (email addresses).

• Email address: (Optional) Enter the name of the attribute that contains the email address that the IdP uses during the authentication process to enable users to receive notifications at an email address that is different from the username. The email address attribute is used for notifications purposes only and not used for sign-in.

• Display name: (Optional but recommended) Some IdPs use separate attributes for first and last names, and others store the full name in one attribute.

  Select the button that corresponds to the way your IdP stores the names. For example, if the IdP combines first and last name in one attribute, select Display name, and then enter the attribute name.

  

Select the method by which users sign in to embedded views. The options are to open a separate pop-up window that displays the IdP’s sign-in form, or to use an inline frame (iframe).

Important: Because iframes can be vulnerable to clickjacking attacks, not all IdPs support signing in through an iframe. With clickjacking, the attacker tries to lure users into clicking or entering content. They do this by displaying the page to attack in a transparent layer over an unrelated page. For Tableau Cloud, an attacker might try to capture user credentials or to get an authenticated user to change settings. For more information, see Clickjacking(Link opens in a new window) on the Open Web Application Security Project website.

If your IdP doesn’t support signing in through an iframe, select Authenticate in a separate pop-up window.

To create the SAML connection between Tableau Cloud and your IdP, you need to exchange required metadata between the two services. To get metadata from Tableau Cloud, choose one of the following methods. See the IdP’s SAML configuration documentation to confirm the correct option.

• Select Export Metadata button to download an XML file that contains the Tableau Cloud SAML entity ID, Assertion Consumer Service (ACS) URL, and X.509 certificate.

• Select Download Certificate if your IdP expects the required information in a different way. For example, if it wants you to enter the Tableau Cloud entity ID, ACS URL, and X.509 certificate in separate locations.

  

For step 6, use the instructions provided by the IdP’s documentation to submit the Tableau Cloud metadata.

We highly recommend that you test the SAML configuration to avoid any locked out scenarios. Testing the configuration helps ensure that you have configured SAML correctly before changing the authentication type of your users to SAML. To test the configuration successfully, make sure that there is at least one user who you can sign in as who is already provisioned in the IdP and added to your Tableau Cloud with SAML authentication type configured.

If you can't successfully sign in to Tableau Cloud, start with the troubleshooting steps suggested on the Authentication page. If those steps do not resolve the issue, see Troubleshoot SAML.

Select existing Tableau Cloud users, or add new users you want to approve for single sign-on.

When you add or import users, you also specify their authentication type. On the Users page, you can change users’ authentication type any time after adding them.

For more information, see Add Users to a Site or Import Users.

• Let users to choose their authentication type

  When this option is selected, only a pop-up window will be supported. In this pop-up window, two sign-in options appear where a view is embedded: a sign-in button that uses single sign-on (SSO) authentication and a link to use Tableau credentials as the alternative.

  Tip: With this option, users need to know which sign-in option to choose. As part of notification you send your users after you add them to the single sign-on site, let them know which type of authentication to use for a variety of sign-in scenarios. For example, embedded views, Tableau Desktop, Tableau Bridge, Tableau Mobile, and so on.

• Tableau with MFA

  This option requires users to sign in using Tableau credentials with multi-factor authentication even if SAML is enabled on the site. Signing in with Tableau with MFA requires users to set a verification method to confirm the identity each time the user signs in to Tableau Cloud. For more information, see Multi-Factor Authentication and Tableau Cloud.

• List of authentication configurations

  When a specific configuration option is selected, the way users can sign in to embedded views is determined by the setting you configured in step 6 above for the named configuration.