Tableau Cloud Help

Most issues occur because metadata that you import from the IdP, or assertion names that you enter, do not match the corresponding IdP attributes. To troubleshoot SAML issues, start by making sure the information shown in steps 1–5 in Tableau Cloud or steps 1-4 in TCM of the Authentication page matches the IdP’s SAML configuration settings.

Tableau Cloud or TCM requires the IdP assertion that contains username. In addition to checking steps 2-5 in Tableau Cloud or steps 2-4 in TCM, make sure that users' usernames match between Tableau Cloud and the IdP.

A user provides their username on the Tableau Cloud or TCM sign-in page, Tableau redirects the request to the identity provider (IdP), but the IdP does not return its SAML sign-in page. The IdP can fail to return the sign-in page for any of the following reasons:

• SSO service URL is not valid.

  When you import the IdP metadata, make sure the SSO Service URL field shows the correct URL.

• The IdP does not recognize the authentication request received.

  For example, the Tableau Cloud or TCM entity ID might be incorrect. This can occur if SAML configuration settings on the Authentication page have become corrupted or inadvertently changed.

To resolve the issue, repeat Steps 1–2 of the SAML configuration:

1. Sign in to your IdP account and export the IdP metadata.

2. Do one of the following:

   • Sign in to Tableau Cloud, go to Settings > Authentication page, next to the authentication configuration, click the Actions menu and select Edit. On the Edit Configuration page, in step 2, re-import and upload the metadata.

   • Sign in to TCM, go to Settings > Authentication page, under the SAML authentication type, click the Configuration (required) drop-down arrow. In step 2, re-import and upload the metadata.

If a user provides incorrect credentials on the IdP’s sign-in page, or if the user is not authorized to use SAML, some IdPs will not return control to Tableau when authentication fails.

In Tableau Cloud, on the Users page, you can see whether a user is authorized for SAML authentication.

For a SAML site, the Full Name field is populated with the email address if the assertions for first and last name or full name are not provided in step 3. Map attributes of the SAML settings in the Authentication page.

SAML authentication takes place outside Tableau, so troubleshooting authentication issues can be difficult. However, login attempts are logged by Tableau Cloud. You can create a snapshot of log files and use them to troubleshoot problems.

If a user is having trouble being authenticated on Tableau Cloud, you should examine the log file to ensure that username attribute values returned by the IdP match the usernames of users.

To download the log file:

1. Sign in to Tableau Cloud or TCM.

2. Go to Settings > Authentication page, and do one of the following:

   • In Tableau Cloud, next to the authentication configuration, click the Actions menu and select Edit. Under step 7. Test configuration, under Troubleshoot SAML, click the Download Log button.

   • In TCM, under the SAML authentication type, click the Configuration (required) drop-down arrow. Under step 6. Test configuration, under Troubleshoot SAML, click the Download Log button.

SAML is not used for authentication when you sign in to Tableau Cloud using tabcmd, even if Tableau Cloud is configured to use SAML. This tool require personal access tokens..