Enable SAML Authentication on a Site

This topic explains how to enable SAML on the site and select single sign-on users. It also provides steps for switching from SAML to the default Tableau (also known as TableauID) authentication. Before you enable SAML, we recommend that you review the SAML Requirements for Tableau Cloud, including Effects of changing authentication type on Tableau Bridge.

This topic assumes you are familiar with the information in Authentication and How SAML Authentication Works.

IdP-specific configuration information

The steps in the sections later in this topic provide basic steps that you can use with your IdP’s documentation to configure SAML for your Tableau Cloud site. You can get IdP-specific configuration steps for the following IdPs:

Enable SAML

  1. Sign in to your Tableau Cloud site as a site administrator, and select Settings > Authentication.

  2. On the Authentication tab, click the New Configuration button, select SAML from the Authentication drop-down, and then enter a name for the configuration.

    Screen shot of Tableau Cloud site authentication settings -- new configuration page

    Note: Configurations created before November 2024 (Tableau 2024.3) can't be renamed.

SAML configuration steps

This section takes you through the configuration steps that appear on the Authentication tab in the Tableau Cloud Settings page.

Note: To complete this process, you will also need the documentation your IdP provides. Look for topics that refer to configuring or defining a service provider for a SAML connection, or adding an application.

Step 1: Export metadata from IdP
Step 2: Upload metadata to Tableau
Step 3: Map attributes
Step 4: Choose default for embedded views
Step 5: Get Tableau Cloud metadata
Step 6: Configure IdP
Step 7: Test configuration and troubleshoot SAML
Manage users
Default authentication type for embedded views

Use Tableau authentication

If a site is configured for SAML, you can change the site settings to require some or all users to sign in using Tableau credentials.

  • If you no longer want an identity provider to handle authentication for a site, or require all users to sign in with their Tableau credentials, you can change authentication type at the site level. See Change the site’s authentication type section, below.

  • If you want to keep SAML enabled for some users, but require others to use Tableau, you can change authentication type at the user level.

    For more information, see Set the User Authentication Type.

Change the site’s authentication type

Beginning in November 2024 (Tableau 2024.3), you can enable multiple authentication types and methods on a site. To change what authentication you want available on the site, enable or disable the authentication configurations.

  1. Sign in to the Tableau Cloud site as a site administrator.

  2. Select Settings > Authentication.

  3. Disable or enable authentication configurations for the site by clicking the Actions menu and selecting Disable or Enable.

After you make the SAML configuration inactive, the metadata and IdP information are preserved so that if you want to enable it again, you do not need to set up the SAML connection with the IdP again.

Update SAML certificate

The certificate used for Tableau site metadata is provided by Tableau and not configurable. To update the certificate for SAML, you must upload a new certificate to your IdP and re-exchange the metadata with Tableau Cloud.

  1. Sign in to the site as a site administrator, and select Settings > Authentication.

  2. Under Authentication types, go to the SAML configuration you want to update, and click the Actions menu and select Edit.

  3. Open a new tab or window, and sign in to your IdP account.

  4. Use the instructions provided by the IdP’s documentation to upload a new SAML certificate.

  5. Download the new XML metadata file to provide to Tableau Cloud.

  6. Return to the Edit Configuration page in Tableau Cloud, and in step 2, upload the metadata file that you downloaded from the IdP.

  7. Scroll down the page and click the Save and Continue button.

See also

Access Sites from Connected Clients