IssueThe SAML login fails with the following error after upgrading Tableau Server to the affected versions:
User account not found.
For help, contact your Tableau Server administrator.
Perform the following steps to ignore the user domain matching. The flag set in Step 3 is only available starting with the upgraded versions listed in Step 1. Please see the Additional Information section of this article to understand if this solution will be the correct one for your organization.
1. Upgrade to Tableau Server 2021.4.21+, 2022.1.17+, 2022.3.9+, or 2023.1.5 and higher versions if your version is one of the affected versions.
Beginning in Tableau Server versions 2021.4.21, 2022.1.17, 2022.3.9, and 2023.1.5, you can configure Tableau Server to ignore the domain portion of the username attribute when matching the identity provider (IdP) user name to a user account on Tableau Server. For example, the username attribute in the IdP might be
firstname.lastname@example.org to match a user named
alice in Tableau Server. Ignoring the domain portion of the username attribute might be useful if you already have users defined in Tableau Server that match the prefix portion of the username attribute but not the domain portion of the username attribute.
2. Change to the legacy identity store mode when Identity Service is enabled.
Identity Service is enabled if the following parameter value is false.
tsm configuration get -k wgserver.authentication.legacy_identity_mode.enabled
Run the following commands to enable legacy identity store.
tsm authentication legacy-identity-mode enable
3. Set the following parameter to ignore the domain portion of the username attribute.
tsm configuration set -k wgserver.ignore_domain_in_username_for_matching -v true tsm pending-changes apply
tableau.com). If two users with the same first name, but different user accounts (e.g.,
email@example.com) are in your organization, then you could have a mapping mismatch.