Configuration Guides

Configuring SAML SSO with Tableau and PingOne

Learn how to enable Tableau SSO in PingOne (IdP and SP-initiated).

Before you begin

  • Configure PingOne to authenticate against an identity repository containing the users requiring application access.

  • An Email Attribute is required in the assertion, either the SAML Subject or another SAML attribute per the SAML configuration. The value of the Email Attribute must be a valid email address. This attribute is used to uniquely identify the user in the organization.

Export the metadata from Tableau

  1. Sign on to Tableau with an administration account.

  2. Go to Settings → Authentication.

  3. Select the Enable an additional authentication method check box.

  4. Select the SAML authentication method.

  5. Expand the Edit Connection section.

  6. Click Export Metadata.

    Screen capture of Tableau Authentication types page.

Create the Tableau SP connection

  1. In the PingOne admin portal, go to Connections → Applications.

  2. Create an SP connection for Tableau by selecting Add application.

  3. When you’re prompted to select an application type, select WEB APP and then click Configure next to SAML for the chosen connection type.

  4. Enter a unique name for the application.

  5. Import the Tableau metadata.

  6. Select the signing certificate.

  7. Confirm that the EntityID and endpoints are correct.

  8. Enter a suitable value for Assertion Validity Duration (in seconds). A value of 300 seconds is typical.

  9. Click Save and Continue.

  10. Define the Tableau assertion requirements.

    Screen capture of Tableau application attribute mapping.

  11. Click the toggle to enable the application.

  12. On the Configuration tab for the Tableau application, on the Download Metadata line, click Download.

    Screen capture of Tableau Configuration tab with download metadata button.

Import the metadata in Tableau

  1. Upload the PingOne metadata file and click Apply.

  2. Confirm that the IdP, entityID, and SSO service URL are correct.

  3. Test the connection.

  4. Match the Tableau attributes to the assertion attributes and click Apply.

    Screen capture of Tableau Online Attribute page with Email and Display Name attributes shown.

Test the IdP-initiated SSO integration

  1. Go to the PingOne Application Portal and sign on with a user account.

    In the Admin console, go to Dashboard → Environment Properties to find the PingOne Application Portal URL.

  2. Click the Tableau icon.

    You’re redirected to the Tableau website and logged in with SSO.

Test the SP-initiated SSO integration

  1. Go to the Tableau sign on page and enter the email address that will redirect to PingOne.

  2. In the PingOne sign-on prompt, enter your PingOne username and password.

    You’re redirected back to Tableau and signed on with SSO.