If your organization uses Salesforce, you can enable Tableau Cloud to use Salesforce accounts for single sign-on (SSO) with OpenID Connect. As of Spring 2021, Tableau Cloud supports Salesforce authentication as a new authentication type. When you enable Salesforce authentication, users are directed to the Salesforce sign-in page to enter their credentials, which are stored and managed by Salesforce. This scenario also supports scenarios where Salesforce federates authentication with another IdP.

Username requirement

The username that is used within your Salesforce Org must match the username field in Tableau Cloud. Both of these usernames are in email format, though they may not be used as email addresses. Verify that that these attributes match. If the do not, configure the Salesforce authentication type, and then see the section below, Mismatched usernames.

Change and configure authentication type

If your organization already uses Salesforce, then setting the authentication type to Salesforce in Tableau Cloud is a three-step process:

  1. Install the Tableau Cloud connected app package(Link opens in a new window) in Salesforce. To allow users to sign in to Tableau Cloud from your organization, manage access to your connected app by assigning the appropriate profiles or permission sets. Additionally, set the connected app to Admin pre-approved. See Manage Other Access Settings for a Connected App(Link opens in a new window).

  2. Change to Salesforce authentication in Tableau Cloud:

    • Sign in to your Tableau Cloud site as a site administrator, and select Settings > Authentication.
    • On the Authentication tab, select Enable an additional authentication method, and then select Salesforce.
    • If you have configured your Salesforce organization to use a custom domain for user sign in, then you will need to configure Tableau Cloud to redirected users to the sign in page. Click Edit My Domain... to enter your Salesforce My Domain. Tableau Cloud will verify the domain and then add it as a sign-in URL.
  3. Add new users (or update any previous users) to use Salesforce as their configured authentication type.

Troubleshooting

Mismatched usernames

If existing users in Tableau Cloud are using usernames that do not match their corresponding usernames in Salesforce, follow this procedure:

  1. Change the existing Tableau Cloud user to an Unlicensed site role to prevent license consumption.
  2. Add the new Tableau Cloud user for Salesforce authentication, ensuring the username matches the username in your Salesforce organization.
  3. If necessary, migrate previous content owned by the old username in Tableau Cloud to the new user.

Unsuccessful login with OAUTH_APP_BLOCKED in return URL

This issue is surfaced when a user who is configured with Salesforce authentication attempts to sign in and is not redirected. Tableau Cloud will display a message:

The sign-in was unsuccessful. Try again.

If you continue to get this message, capture the status information below, and send it to Customer Support.

Additionally, return URL in the user's browser includes the following string:

/public/oidc/login?error=OAUTH_APP_BLOCKED&error_description=this+app+is+blocked+by+admin&state=...

This indicates that the connected application within Salesforce is being blocked by your organization. Some security conscious Salesforce customers block all connected applications and implement API allowlist functionality that will prevent the connected application from working.

To fix this, ensure that the Tableau Cloud - Salesforce User Login via OIDC(Link opens in a new window) connected application is installed and has the appropriate user profiles and permission sets applied.
For more information, see:

Thanks for your feedback!