KNOWLEDGE BASE

How to Map Tableau Server User (non-email account name) to Azure AD User with SAML


Published: 03 Nov 2022
Last Modified Date: 04 Nov 2022

Question

Currently our Tableau Server user account names are in non-email format. We plan to configure the Tableau Server to use SAML with Azure AD but our Azure AD User account names are email format.
For this situation, Is there a way to map Tableau Server User account name (non-email) to Azure AD User account name(email) with SAML, instead of creating new Tableau Server accounts with email format?

Environment

  • Tableau Server
  • SAML(Azure AD)

Answer

It is possible to map Tableau Server User Name (non-email) to Azure AD User Name(email) with SAML.

Note: Before configuring the setting below, you need to configure the Tableau Server to use SAML with Azure AD following Tableau help page below:
Configure SAML with Azure AD IdP on Tableau Server
You may also refer to the Microsoft document below for more details about the related settings on Azure AD side.
Tutorial: Azure Active Directory single sign-on (SSO) integration with Tableau Server


Here is a step by step example to show how to do that.

1. In Azure AD, set your Tableau Server user name to any blank attribute of your Azure AD user. For this example, we choose user.mailnickname (Mail nickname).
Note: You can choose any attribute of your Azure AD user based on your needs.
User-added image

2. Select Single sign-on tab from the Tableau Server app you have created, then click Edit of [Attributes & Claims].
User-added image

3. Click Unique User Identifier (Name ID), change [Name identifer format] to Default, and change [Source attribute] to user.mailnickname, then click Save.
User-added image

4. Click Add new claim, input any name like "tableauid" into [Name], and input "http://schemas.xmlsoap.org/ws/2005/05/identity/claims" into [Namespace], and change [Source attribute] to user.mailnickname, then click Save.
Note:
the namespace value should be the same as the other existing claims. It should be "http://schemas.xmlsoap.org/ws/2005/05/identity/claims" by default.
User-added image

5. Make sure that [Unique User Identifier (Name ID)] has been changed to user.mailnickname, and the new claim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/tableauid" has been added with value user.mailnickname.
User-added image


6. In Tableau Server, set wgserver.saml.idpattribute.username with the new value "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/tableauid" by the following TSM ccommands.
Note: The new value should be the the new claim you confirmed in Azure AD at step 5.
tsm configuration set -k wgserver.saml.idpattribute.username -v "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/tableauid"

tsm pending-changes apply

7. Login to Tableau Server with your Azure AD User Name(email) and password. If the above settings are no problem, the login will succeed with your Tableau Server User as expected.
Did this article resolve the issue?