---
title: Configuring SAML SSO with Tableau and PingOne
description: Learn how to enable Tableau SSO in PingOne (IdP and SP-initiated).
component: configuration_guides
page_id: configuration_guides:tableau:config_saml_tableau_p1
canonical_url: https://docs.pingidentity.com/configuration_guides/tableau/config_saml_tableau_p1.html
revdate: May 15, 2024
section_ids:
  before-you-begin: Before you begin
  export-the-metadata-from-tableau: Export the metadata from Tableau
  create-the-tableau-sp-connection: Create the Tableau SP connection
  import-the-metadata-in-tableau: Import the metadata in Tableau
  test-the-idp-initiated-sso-integration: Test the IdP-initiated SSO integration
  test-the-sp-initiated-sso-integration: Test the SP-initiated SSO integration
---

# Configuring SAML SSO with Tableau and PingOne

Learn how to enable Tableau SSO in PingOne (IdP and SP-initiated).

## Before you begin

* Configure PingOne to authenticate against an identity repository containing the users requiring application access.

* An Email Attribute is required in the assertion, either the SAML Subject or another SAML attribute per the SAML configuration. The value of the Email Attribute must be a valid email address. This attribute is used to uniquely identify the user in the organization.

## Export the metadata from Tableau

1. Sign on to Tableau with an administration account.

2. Go to **Settings → Authentication**.

3. Select the **Enable an additional authentication method** check box.

4. Select the SAML authentication method.

5. Expand the **Edit Connection** section.

6. Click **Export Metadata**.

   ![Screen capture of Tableau Authentication types page.](_images/lrk1640220985403.png)

## Create the Tableau SP connection

1. In the PingOne admin portal, go to **Connections → Applications**.

2. Create an SP connection for Tableau by selecting **Add application**.

3. When you're prompted to select an application type, select **WEB APP** and then click **Configure** next to **SAML** for the chosen connection type.

4. Enter a unique name for the application.

5. Import the Tableau metadata.

6. Select the signing certificate.

7. Confirm that the **EntityID** and endpoints are correct.

8. Enter a suitable value for **Assertion Validity Duration (in seconds)**. A value of 300 seconds is typical.

9. Click **Save and Continue**.

10. Define the Tableau assertion requirements.

    ![Screen capture of Tableau application attribute mapping.](_images/pcc1640222397705.png)

11. Click the toggle to enable the application.

12. On the **Configuration** tab for the Tableau application, on the **Download Metadata** line, click **Download**.

    ![Screen capture of Tableau Configuration tab with download metadata button.](_images/cva1640222494748.png)

## Import the metadata in Tableau

1. Upload the PingOne metadata file and click **Apply**.

2. Confirm that the IdP, entityID, and SSO service URL are correct.

3. Test the connection.

4. Match the Tableau attributes to the assertion attributes and click **Apply**.

   ![Screen capture of Tableau Online Attribute page with Email and Display Name attributes shown.](_images/eej1640221622163.png)

## Test the IdP-initiated SSO integration

1. Go to the PingOne Application Portal and sign on with a user account.

   |   |                                                                                                                    |
   | - | ------------------------------------------------------------------------------------------------------------------ |
   |   | In the Admin console, go to **Dashboard → Environment Properties** to find the **PingOne Application Portal URL**. |

2. Click the Tableau icon.

   You're redirected to the Tableau website and logged in with SSO.

## Test the SP-initiated SSO integration

1. Go to the Tableau sign on page and enter the email address that will redirect to PingOne.

2. In the PingOne sign-on prompt, enter your PingOne username and password.

   You're redirected back to Tableau and signed on with SSO.