This topic provides information about resolving issues that can occur when you configure SAML authentication.
Required assertions and metadata do not map correctly
Most issues occur because metadata that you import from the IdP, or assertion names that you enter, do not match the corresponding IdP attributes. To troubleshoot SAML issues, start by making sure the information shown in Steps 1–5 of the Authentication page matches the IdP’s SAML configuration settings.
Tableau Online requires the IdP assertion that contains user email address. In addition to checking Steps 1–5, make sure that users' email addresses match between Tableau Online and the IdP.
Identity provider does not display sign-in page
A user provides his or her user name on the Tableau Online sign-in page, Tableau Online redirects the request to the identity provider (IdP), but the IdP does not return its SAML sign-in page. The IdP can fail to return the sign-in page for any of the following reasons:
SSO service URL is not valid.
When you import the IdP metadata, make sure the SSO Service URL field shows the correct URL.
The IdP does not recognize the authentication request received.
For example, the Tableau Online entity ID may be incorrect. This can occur if SAML configuration settings on the Authentication page have become corrupted or inadvertently changed.
To resolve the issue, repeat Steps 3–4 of the SAML configuration:
- Sign in to your IdP account and export the IdP metadata
- Sign in to Tableau Online, display the Authentication page, and in Step 4, re-import the metadata.
Nothing happens after IdP sign-in
If a user provides incorrect credentials on the IdP’s sign-in page, or if the user is not authorized to use SAML, some IdPs will not return control to Tableau Online when authentication fails.
In Tableau Online, on the Users page, you can see whether a user is authorized for SAML authentication.
Full Name field shows users’ email addresses
For a SAML site, the Full Name field is populated with the email address if the assertions for first and last name or full name are not provided in Step 5 of the Authentication page.
Unable to authenticate users when using single sign-on
SAML authentication takes place outside Tableau Online, so troubleshooting authentication issues can be difficult. However, login attempts are logged by Tableau Online. You can create a snapshot of log files and use them to troubleshoot problems.
If a user is having trouble being authenticated on Tableau Online, you should examine the log file to ensure that email attribute values returned by the IdP match the email addresses of users.
To download the log file:
- Sign in to Tableau Online.
- Display the Authentication page, and then under Step 7, click Download log file.
Signing In through Command Line Utilities
SAML is not used for authentication when you sign in to Tableau Online using tabcmd or the Tableau Data Extract command line utility(Link opens in a new window) (provided with Tableau Desktop), even if Tableau Online is configured to use SAML. These tools require TableauID authentication configured when Tableau Online was originally provisioned.