Applications (as IdP)
Integration Guides
Tableau

Tableau Cloud SSO with MojoAuth

Connect Tableau Cloud to MojoAuth as your SAML 2.0 Identity Provider (IdP) so users sign in to their Tableau site with MojoAuth instead of a Tableau username/password. Tableau acts as the Service Provider (SP). The same configuration applies to Tableau Server, with SAML managed by a server administrator instead of a site administrator.

How it works

  • SP-initiated: user starts at the Tableau Cloud sign-in page for the site.
  • IdP-initiated: user starts from a MojoAuth launcher (or the Test SSO button) and lands directly in the Tableau site.
  • Tableau does not create users from the assertion — the user must already exist on the Tableau site (or server), and Tableau matches the incoming assertion to that user by username.

Prerequisites

  • A MojoAuth project (test or live) with Developers access to create Applications.
  • Tableau Cloud Site Administrator access (or Server Administrator for Tableau Server).
  • SAML is configured per site on Tableau Cloud (a multi-site pod requires separate SAML setup per site, unless you use server-wide SAML on Tableau Server). If you manage multiple sites, repeat this guide for each one — or create a separate MojoAuth SAML connection per site.
  • The users you want to sign in via SSO must already be added to the Tableau site with a matching username before their first SSO login.

Step 1 — Create the MojoAuth SAML connection

Create a connection

In the MojoAuth dashboard: Developers → Applications → New Application → SAML 2.0 SSO. Enter a connection name (e.g. Tableau Cloud) and click Create connection. MojoAuth creates a draft connection and auto-issues its signing certificate.

See SAML SSO Connections for the full concept if you haven't created one before.

Copy the IdP values

The connection page shows the IdP values you'll give to Tableau later, in Step 2:

ValueURL
IdP metadata URL (Entity ID){BASE}/saml/{projectId}/sps/{spId}/metadata
IdP SSO URL (SAML endpoint){BASE}/saml/{projectId}/sps/{spId}/sso
IdP SLO URL (logout){BASE}/saml/{projectId}/sps/{spId}/slo
IdP signing certificateDownload .crt button on the connection page

Tableau Cloud accepts the IdP metadata as a file upload or a URL. Uploading the MojoAuth IdP metadata URL directly is the fastest path and avoids manually re-entering the SSO URL and certificate.

Step 2 — Configure Tableau Cloud

Open the SAML settings

Sign in to Tableau Cloud as a Site Administrator and go to Settings → Authentication. Under Enable an additional authentication method, select SAML.

Step 1 of Tableau's SAML setup — copy the SP values

Tableau displays this site's Tableau Cloud entity ID and ACS URL, and offers a download Tableau metadata link. You'll need these values (or the metadata file/URL) in Step 3 below, to give back to MojoAuth:

Tableau gives youTypical value
Tableau Cloud entity IDhttps://sso.online.tableau.com/public/sp/metadata?alias=<pod>-<site-luid> (exact value shown on the page)
ACS URLhttps://sso.online.tableau.com/public/sp/ACS.saml2?alias=<pod>-<site-luid> (exact value shown on the page)
Tableau metadatadownloadable XML containing both of the above

Copy these exactly as shown on your site's Authentication page — the entity ID and ACS URL are unique per Tableau Cloud site and include a site-specific alias.

Step 2 of Tableau's SAML setup — upload the MojoAuth IdP metadata

Still on Settings → Authentication → SAML, upload the MojoAuth IdP metadata:

  • Preferred: point Tableau at the MojoAuth IdP metadata URL ({BASE}/saml/{projectId}/sps/{spId}/metadata) if Tableau's UI accepts a URL for your pod, or
  • Download the metadata XML from the MojoAuth connection page and upload the file in Tableau's metadata upload field.

Uploading the metadata populates Tableau's copy of the IdP SSO URL and signing certificate in one step, so you don't need to paste them by hand.

If Tableau's UI instead asks you to enter fields individually, use:

Tableau fieldValue
IdP Entity ID / Issuerthe MojoAuth IdP metadata URL ({BASE}/saml/{projectId}/sps/{spId}/metadata)
SSO Service URL / IdP login URL{BASE}/saml/{projectId}/sps/{spId}/sso
X.509 Certificateupload the .crt downloaded from the MojoAuth connection page

Step 3 — Give the SP details back to MojoAuth

Back on the MojoAuth connection page, complete the other half of the handshake using the values Tableau showed you in Step 2:

  • Import from metadata — paste the Tableau metadata URL, or upload the metadata XML file you downloaded from Tableau, and MojoAuth fills in the SP Entity ID and ACS URL automatically. or
  • Manual configuration — enter the Tableau Cloud entity ID as the SP Entity ID and the ACS URL, exactly as shown on Tableau's Authentication page, then click Save.
⚠️

Set NameID format on the MojoAuth connection to unspecified or emailAddress — whichever matches how Tableau usernames are formatted on your site (see Step 4). If Tableau usernames are email addresses, emailAddress is the safer choice.

Step 4 — Match assertion attributes

Tableau requires the assertion to carry an attribute that equals the Tableau username for the signing-in user — this is typically the user's email address, since most Tableau Cloud sites use email as the username. Optionally, Tableau can also read a display name and email attribute for provisioning-adjacent display purposes (Tableau does not JIT-provision, but it will use these to keep the user's profile fields current).

Add these attribute mappings on the MojoAuth connection:

saml_namesourcename_format
usernameemailunspecified
emailemailunspecified
displayNamefirstNameunspecified
⚠️

The username attribute must exactly equal the username already configured for that person on the Tableau site (Settings → Users) — not a display name, not a different email alias. Tableau matches the assertion to an existing user by this value; it does not create the user.

If your Tableau usernames are not email addresses (e.g. a corporate ID like jsmith), map username to whichever MojoAuth user field actually contains that value — identifier is a common choice if you store it there — rather than email.

Step 5 — Test

  1. Confirm the target user already exists on the Tableau site under Settings → Users, with a username matching what MojoAuth will send.
  2. SP-initiated: open your Tableau Cloud site's sign-in URL and choose the SAML sign-in option. You should be redirected to MojoAuth's hosted login, then back into Tableau, landing on the site's home page.
  3. IdP-initiated: click Test SSO on the MojoAuth connection page. This posts an unsolicited assertion straight to Tableau's ACS URL and should sign you directly into the Tableau site.
  4. Success looks like: no SAML error page, and the browser lands on the Tableau site as the matched user (check the account menu in the top-right to confirm the correct identity).

Troubleshooting

"Login Error: The user identified in the SAML assertion does not exist" The username attribute in the assertion doesn't match any existing Tableau site user, or the user hasn't been added to the site yet. Add the user under Settings → Users first (or confirm their existing username), and make sure the MojoAuth attribute mapping for username sends that exact value.

Username attribute mismatch (assertion succeeds, but Tableau still won't let the user in) Tableau usernames on your site may not be email addresses. Check an existing user's username under Settings → Users, then update the MojoAuth connection's username attribute mapping to send that same format (e.g. map to identifier instead of email) rather than assuming email.

"Unable to load SAML metadata" / certificate or SSO URL errors after setup The IdP metadata uploaded to Tableau is stale — this happens if MojoAuth's signing certificate rotated after you last uploaded metadata. Re-download the MojoAuth IdP metadata (or the .crt) and re-upload/re-import it under Settings → Authentication → SAML in Tableau.

"Destination and ACS URL mismatch" or SP entity ID error The SP Entity ID or ACS URL entered on the MojoAuth connection doesn't exactly match the values shown on Tableau's Authentication page. These include a site-specific alias and pod, so they can't be reused across sites — re-copy the exact values (or re-import Tableau's metadata) for this specific site.

SSO works but only for some users / new hires can't sign in The user was never added to the Tableau site. Unlike some SPs, Tableau does not JIT-provision users from a SAML assertion — an administrator must add every user to the site (or via Tableau's REST API or SCIM, if configured) before their first SSO sign-in will succeed.

Multi-site Tableau Cloud pod: SSO works on one site but not another SAML is configured per site on Tableau Cloud. If you manage multiple sites, each one needs its own SAML configuration (and typically its own MojoAuth SAML connection, since the ACS URL and entity ID differ per site) — confirm you completed Steps 1–4 for the specific site the user is trying to reach.

Tableau Server: SAML enabled but sign-in redirects fail On Tableau Server, SAML can be configured server-wide or per-site; confirm which mode your deployment uses (tsm configuration) before assuming a single site's SAML settings apply. Server-wide SAML uses one shared entity ID/ACS URL for all sites, while per-site SAML mirrors the Tableau Cloud flow above for each site individually.

Next steps