Tableau Cloud SSO with MojoAuth
Connect Tableau Cloud to MojoAuth as your SAML 2.0 Identity Provider (IdP) so users sign in to their Tableau site with MojoAuth instead of a Tableau username/password. Tableau acts as the Service Provider (SP). The same configuration applies to Tableau Server, with SAML managed by a server administrator instead of a site administrator.
How it works
- SP-initiated: user starts at the Tableau Cloud sign-in page for the site.
- IdP-initiated: user starts from a MojoAuth launcher (or the Test SSO button) and lands directly in the Tableau site.
- Tableau does not create users from the assertion — the user must already exist on the Tableau site (or server), and Tableau matches the incoming assertion to that user by username.
Prerequisites
- A MojoAuth project (test or live) with Developers access to create Applications.
- Tableau Cloud Site Administrator access (or Server Administrator for Tableau Server).
- SAML is configured per site on Tableau Cloud (a multi-site pod requires separate SAML setup per site, unless you use server-wide SAML on Tableau Server). If you manage multiple sites, repeat this guide for each one — or create a separate MojoAuth SAML connection per site.
- The users you want to sign in via SSO must already be added to the Tableau site with a matching username before their first SSO login.
Step 1 — Create the MojoAuth SAML connection
Create a connection
In the MojoAuth dashboard: Developers → Applications → New Application → SAML 2.0 SSO. Enter a connection name (e.g. Tableau Cloud) and click Create connection. MojoAuth creates a draft connection and auto-issues its signing certificate.
See SAML SSO Connections for the full concept if you haven't created one before.
Copy the IdP values
The connection page shows the IdP values you'll give to Tableau later, in Step 2:
| Value | URL |
|---|---|
| IdP metadata URL (Entity ID) | {BASE}/saml/{projectId}/sps/{spId}/metadata |
| IdP SSO URL (SAML endpoint) | {BASE}/saml/{projectId}/sps/{spId}/sso |
| IdP SLO URL (logout) | {BASE}/saml/{projectId}/sps/{spId}/slo |
| IdP signing certificate | Download .crt button on the connection page |
Tableau Cloud accepts the IdP metadata as a file upload or a URL. Uploading the MojoAuth IdP metadata URL directly is the fastest path and avoids manually re-entering the SSO URL and certificate.
Step 2 — Configure Tableau Cloud
Open the SAML settings
Sign in to Tableau Cloud as a Site Administrator and go to Settings → Authentication. Under Enable an additional authentication method, select SAML.
Step 1 of Tableau's SAML setup — copy the SP values
Tableau displays this site's Tableau Cloud entity ID and ACS URL, and offers a download Tableau metadata link. You'll need these values (or the metadata file/URL) in Step 3 below, to give back to MojoAuth:
| Tableau gives you | Typical value |
|---|---|
| Tableau Cloud entity ID | https://sso.online.tableau.com/public/sp/metadata?alias=<pod>-<site-luid> (exact value shown on the page) |
| ACS URL | https://sso.online.tableau.com/public/sp/ACS.saml2?alias=<pod>-<site-luid> (exact value shown on the page) |
| Tableau metadata | downloadable XML containing both of the above |
Copy these exactly as shown on your site's Authentication page — the entity ID and ACS URL are unique per Tableau Cloud site and include a site-specific alias.
Step 2 of Tableau's SAML setup — upload the MojoAuth IdP metadata
Still on Settings → Authentication → SAML, upload the MojoAuth IdP metadata:
- Preferred: point Tableau at the MojoAuth IdP metadata URL
(
{BASE}/saml/{projectId}/sps/{spId}/metadata) if Tableau's UI accepts a URL for your pod, or - Download the metadata XML from the MojoAuth connection page and upload the file in Tableau's metadata upload field.
Uploading the metadata populates Tableau's copy of the IdP SSO URL and signing certificate in one step, so you don't need to paste them by hand.
If Tableau's UI instead asks you to enter fields individually, use:
| Tableau field | Value |
|---|---|
| IdP Entity ID / Issuer | the MojoAuth IdP metadata URL ({BASE}/saml/{projectId}/sps/{spId}/metadata) |
| SSO Service URL / IdP login URL | {BASE}/saml/{projectId}/sps/{spId}/sso |
| X.509 Certificate | upload the .crt downloaded from the MojoAuth connection page |
Step 3 — Give the SP details back to MojoAuth
Back on the MojoAuth connection page, complete the other half of the handshake using the values Tableau showed you in Step 2:
- Import from metadata — paste the Tableau metadata URL, or upload the metadata XML file you downloaded from Tableau, and MojoAuth fills in the SP Entity ID and ACS URL automatically. or
- Manual configuration — enter the Tableau Cloud entity ID as the SP Entity ID and the ACS URL, exactly as shown on Tableau's Authentication page, then click Save.
Set NameID format on the MojoAuth connection to unspecified or emailAddress — whichever
matches how Tableau usernames are formatted on your site (see Step 4). If Tableau usernames are
email addresses, emailAddress is the safer choice.
Step 4 — Match assertion attributes
Tableau requires the assertion to carry an attribute that equals the Tableau username for the signing-in user — this is typically the user's email address, since most Tableau Cloud sites use email as the username. Optionally, Tableau can also read a display name and email attribute for provisioning-adjacent display purposes (Tableau does not JIT-provision, but it will use these to keep the user's profile fields current).
Add these attribute mappings on the MojoAuth connection:
saml_name | source | name_format |
|---|---|---|
username | email | unspecified |
email | email | unspecified |
displayName | firstName | unspecified |
The username attribute must exactly equal the username already configured for that person
on the Tableau site (Settings → Users) — not a display name, not a different email alias.
Tableau matches the assertion to an existing user by this value; it does not create the user.
If your Tableau usernames are not email addresses (e.g. a corporate ID like jsmith), map
username to whichever MojoAuth user field actually contains that value — identifier is a
common choice if you store it there — rather than email.
Step 5 — Test
- Confirm the target user already exists on the Tableau site under Settings → Users, with a username matching what MojoAuth will send.
- SP-initiated: open your Tableau Cloud site's sign-in URL and choose the SAML sign-in option. You should be redirected to MojoAuth's hosted login, then back into Tableau, landing on the site's home page.
- IdP-initiated: click Test SSO on the MojoAuth connection page. This posts an unsolicited assertion straight to Tableau's ACS URL and should sign you directly into the Tableau site.
- Success looks like: no SAML error page, and the browser lands on the Tableau site as the matched user (check the account menu in the top-right to confirm the correct identity).
Troubleshooting
"Login Error: The user identified in the SAML assertion does not exist"
The username attribute in the assertion doesn't match any existing Tableau site user, or the user
hasn't been added to the site yet. Add the user under Settings → Users first (or confirm their
existing username), and make sure the MojoAuth attribute mapping for username sends that exact
value.
Username attribute mismatch (assertion succeeds, but Tableau still won't let the user in)
Tableau usernames on your site may not be email addresses. Check an existing user's username under
Settings → Users, then update the MojoAuth connection's username attribute mapping to send
that same format (e.g. map to identifier instead of email) rather than assuming email.
"Unable to load SAML metadata" / certificate or SSO URL errors after setup
The IdP metadata uploaded to Tableau is stale — this happens if MojoAuth's signing certificate
rotated after you last uploaded metadata. Re-download the MojoAuth IdP metadata (or the .crt) and
re-upload/re-import it under Settings → Authentication → SAML in Tableau.
"Destination and ACS URL mismatch" or SP entity ID error The SP Entity ID or ACS URL entered on the MojoAuth connection doesn't exactly match the values shown on Tableau's Authentication page. These include a site-specific alias and pod, so they can't be reused across sites — re-copy the exact values (or re-import Tableau's metadata) for this specific site.
SSO works but only for some users / new hires can't sign in The user was never added to the Tableau site. Unlike some SPs, Tableau does not JIT-provision users from a SAML assertion — an administrator must add every user to the site (or via Tableau's REST API or SCIM, if configured) before their first SSO sign-in will succeed.
Multi-site Tableau Cloud pod: SSO works on one site but not another SAML is configured per site on Tableau Cloud. If you manage multiple sites, each one needs its own SAML configuration (and typically its own MojoAuth SAML connection, since the ACS URL and entity ID differ per site) — confirm you completed Steps 1–4 for the specific site the user is trying to reach.
Tableau Server: SAML enabled but sign-in redirects fail
On Tableau Server, SAML can be configured server-wide or per-site; confirm which mode your
deployment uses (tsm configuration) before assuming a single site's SAML settings apply. Server-wide
SAML uses one shared entity ID/ACS URL for all sites, while per-site SAML mirrors the Tableau Cloud
flow above for each site individually.
Next steps
- SAML SSO Connections — connection concepts, attribute mapping, NameID formats, signing options.
- Managing Applications — edit, disable, or delete this connection.
- Integration Guides overview — more provider guides.