Troubleshoot SAML
This topic provides information about resolving issues that can occur when you configure SAML authentication.
Required assertions and metadata do not map correctly
Most issues occur because metadata that you import from the IdP, or assertion names that you enter, do not match the corresponding IdP attributes. To troubleshoot SAML issues, start by making sure the information shown in Steps 1–5 of the Authentication page matches the IdP’s SAML configuration settings.
Tableau Cloud requires the IdP assertion that contains username. In addition to checking steps 2-5, make sure that users' usernames match between Tableau Cloud and the IdP.
Identity provider does not display sign-in page
A user provides his or her user name on the Tableau Cloud sign-in page, Tableau Cloud redirects the request to the identity provider (IdP), but the IdP does not return its SAML sign-in page. The IdP can fail to return the sign-in page for any of the following reasons:
-
SSO service URL is not valid.
When you import the IdP metadata, make sure the SSO Service URL field shows the correct URL.
-
The IdP does not recognize the authentication request received.
For example, the Tableau Cloud entity ID may be incorrect. This can occur if SAML configuration settings on the Authentication page have become corrupted or inadvertently changed.
To resolve the issue, repeat Steps 1–2 of the SAML configuration:
-
Sign in to your IdP account and export the IdP metadata
-
Sign in to Tableau Cloud, go to Settings > Authentication page, next to the authentication configuration, click the Actions menu and select Edit.
-
On the Edit Configuration page, in step 2, re-import and upload the metadata.
Nothing happens after IdP sign-in
If a user provides incorrect credentials on the IdP’s sign-in page, or if the user is not authorized to use SAML, some IdPs will not return control to Tableau Cloud when authentication fails.
In Tableau Cloud, on the Users page, you can see whether a user is authorized for SAML authentication.
Full Name field shows users’ email addresses
For a SAML site, the Full Name field is populated with the email address if the assertions for first and last name or full name are not provided in step 3. Map attributes of the SAML settings in the Authentication page.
Unable to authenticate users when using single sign-on
SAML authentication takes place outside Tableau Cloud, so troubleshooting authentication issues can be difficult. However, login attempts are logged by Tableau Cloud. You can create a snapshot of log files and use them to troubleshoot problems.
If a user is having trouble being authenticated on Tableau Cloud, you should examine the log file to ensure that username attribute values returned by the IdP match the usernames of users.
To download the log file:
- Sign in to Tableau Cloud.
- Go to Settings > Authentication page, next to the authentication configuration, click the Actions menu and select Edit. Under step 7. Test configuration, under Troubleshoot SAML, click the Download Log button.
Signing in through command line utilities
SAML is not used for authentication when you sign in to Tableau Cloud using tabcmd or the Tableau Data Extract command line utility(Link opens in a new window) (provided with Tableau Desktop), even if Tableau Cloud is configured to use SAML. These tools require Tableau authentication (also known as TableauID) configured when Tableau Cloud was originally provisioned.