Salesforce Authentication

If your organization uses Salesforce, you can enable Tableau Online to use Salesforce accounts for single sign-on (SSO) with OpenID Connect. As of Spring 2021, Tableau Online supports Salesforce authentication as a new authentication type. When you enable Salesforce authentication, users are directed to the Salesforce sign-in page to enter their credentials, which are stored and managed by Salesforce. This scenario also supports scenarios where Salesforce federates authentication with another IdP.

Username requirement

The username that is used within your Salesforce Org must match the username field in Tableau Online. Both of these usernames are in email format, though they may not be used as email addresses. Verify that that these attributes match. If the do not, configure the Salesforce authentication type, and then see the section below, Mismatched usernames.

Change and configure authentication type

If your organization already uses Salesforce, then setting the authentication type to Salesforce in Tableau Online is a three-step process:

  1. Install the Tableau Online connected app package(Link opens in a new window) in Salesforce. To allow users to sign in to Tableau Online from your organization, manage access to your connected app by assigning the appropriate profiles or permission sets. Additionally, set the connected app to Admin pre-approved. See Manage Other Access Settings for a Connected App(Link opens in a new window).

  2. Change to Salesforce authentication in Tableau Online:

    • Sign in to your Tableau Online site as a site administrator, and select Settings > Authentication.
    • On the Authentication tab, select Enable an additional authentication method, and then select Salesforce.
    • If you have configured your Salesforce organization to use a custom domain for user sign in, then you will need to configure Tableau Online to redirected users to the sign in page. Click Edit My Domain... to enter your Salesforce My Domain. Tableau Online will verify the domain and then add it as a sign-in URL.
  3. Add new users (or update any previous users) to use Salesforce as their configured authentication type.

Troubleshooting

Mismatched usernames

If existing users in Tableau Online are using usernames that do not match their corresponding usernames in Salesforce, follow this procedure:

  1. Change the existing Tableau Online user to an Unlicensed site role to prevent license consumption.
  2. Add the new Tableau Online user for Salesforce authentication, ensuring the username matches the username in your Salesforce organization.
  3. If necessary, migrate previous content owned by the old username in Tableau Online to the new user.

Unsuccessful login with OAUTH_APP_BLOCKED in return URL

This issue is surfaced when a user who is configured with Salesforce authentication attempts to sign in and is not redirected. Tableau Online will display a message:

The sign-in was unsuccessful. Try again.

If you continue to get this message, capture the status information below, and send it to Customer Support.

Additionally, return URL in the user's browser includes the following string:

/public/oidc/login?error=OAUTH_APP_BLOCKED&error_description=this+app+is+blocked+by+admin&state=...

This indicates that the connected application within Salesforce is being blocked by your organization. Some security conscious Salesforce customers block all connected applications and implement API allowlist functionality that will prevent the connected application from working.

To fix this, ensure that the Tableau Online - Salesforce User Login via OIDC(Link opens in a new window) connected application is installed and has the appropriate user profiles and permission sets applied.
For more information, see:

Thanks for your feedback!