Tableau Cloud Help

If your organization uses Salesforce, you can enable Tableau Cloud or Tableau Cloud Manager (TCM) to use Salesforce accounts for single sign-on (SSO) with multi-factor authentication (MFA) using OpenID Connect. As of spring 2021, Tableau supports Salesforce authentication as an authentication type. As of October 2024, TCM supports Salesforce authentication.

When you enable Salesforce authentication, users are directed to the Salesforce sign-in page to enter their credentials, which are stored and managed by Salesforce. This scenario also supports scenarios where Salesforce federates authentication with another IdP.

The username that is used within your Salesforce Org must match the username field in Tableau Cloud or TCM. Both of these usernames are in email format, though they may not be used as email addresses. Verify that that these attributes match. If the do not, configure the Salesforce authentication type, and then see the section below, Mismatched usernames.

If your organization already uses Salesforce, then setting the authentication type to Salesforce in Tableau Cloud or TCM is a three-step process.

For Tableau Cloud

1. In Salesforce, install the Tableau Cloud connected app package(Link opens in a new window). To allow users to sign in to Tableau Cloud from your organization, manage access to your connected app by assigning the appropriate profiles or permission sets. Additionally, set the connected app to Admin pre-approved. For more information, see Manage Other Access Settings for a Connected App(Link opens in a new window).

2. In Tableau Cloud, change to Salesforce authentication by doing the following:

   1. In Tableau Cloud, sign in as a site admin.

   2. Select Settings > Authentication, click the New Configuration button, and select Salesforce from the Authentication drop-down menu.

   3. Enter a name for the configuration.
      

      Note: Configurations created before November 2024 (Tableau 2024.3) can't be renamed.

   4. (Optional) If you have configured your Salesforce organization to use a custom domain for user sign-in, then you will need to configure Tableau Cloud to redirect users to the sign-in page. Click Edit My Domain to enter your Salesforce My Domain. Tableau Cloud will verify the domain and then add it as a sign-in URL.

   

3. Add new users (or update any previous users) to use Salesforce as their configured authentication type.

   • To add users, see Add Users to a Site.

   • To update a user's authentication method, see Set the User Authentication Type.

For TCM

1. In Salesforce, install the Tableau Cloud connected app package(Link opens in a new window) in Salesforce. To allow users to sign in to TCM from your organization, manage access to your connected app by assigning the appropriate profiles or permission sets. Additionally, set the connected app to Admin pre-approved. For more information, see Manage Other Access Settings for a Connected App(Link opens in a new window).

2. In TCM, change to Salesforce authentication by doing the following:

   1. In TCM, sign in as a cloud admin.

   2. Select Settings > Authentication and select the Enable an additional authentication method check box.

   3. From the Authentication drop-down menu, select Salesforce.

   4. (Optional) If you have configured your Salesforce organization to use a custom domain for user sign-in, then you will need to configure TCM to redirect users to the sign-in page. Click Edit My Domain to enter your Salesforce My Domain. TCM will verify the domain and then add it as a sign-in URL.

3. Add new users (or update any previous users) to use Salesforce as their configured authentication type.

   • To add users, see Manage Users With Tableau Cloud Manager.

   • To update a user's authentication method, see Set the User Authentication Type.

If existing users in Tableau Cloud are using usernames that do not match their corresponding usernames in Salesforce, follow this procedure:

1. Change the existing Tableau Cloud user to an Unlicensed site role to prevent license consumption.
2. Add the new Tableau Cloud user for Salesforce authentication, ensuring the username matches the username in your Salesforce organization.
3. If necessary, migrate previous content owned by the old username in Tableau Cloud to the new user.

This issue is surfaced when a user who is configured with Salesforce authentication attempts to sign in and is not redirected. Tableau Cloud will display a message:

The sign-in was unsuccessful. Try again.

If you continue to get this message, capture the status information below, and send it to Customer Support.

Additionally, return URL in the user's browser includes the following string:

/public/oidc/login?error=OAUTH_APP_BLOCKED&error_description=this+app+is+blocked+by+admin&state=...

This indicates that the connected application within Salesforce is being blocked by your organization. Some security conscious Salesforce customers block all connected applications and implement API allowlist functionality that will prevent the connected application from working.

To fix this, ensure that the Tableau Cloud - Salesforce User Login via OIDC(Link opens in a new window) connected application is installed and has the appropriate user profiles and permission sets applied.
For more information, see:

• Manage Access to a Connected App
• Manage Other Access Settings for a Connected App(Link opens in a new window)

Configurations created before November 2024 (Tableau 2024.3) can't be renamed..