I am interested in knowing which identity token field is checked for a match. I see a lot of references to the name claim, but it seems you expect this to be the email even though for most IDPs it will be a display friendly supported name and since it is optional it might now be provided.
I'm having similar problems... I know this is an old thread but did you get this issue resolved? Could you help with the question below?
User accounts are matched between the Identity Provider and Tableau by comparing the Tableau user's Username with the Identity Provider user's email claim. This is documented here:
... so essentially, the usernames in Tableau need to be the email addresses of the users in the Identity Provider.
However, this isn't working for all users - it seems that my Tableau server has been setup with the name of my domain somewhere in it's configuration and any email addresses that end in this domain name (e.g. firstname.lastname@example.org) won't login. I simply get the following in the log file:
DEBUG com.tableausoftware.model.workgroup.auth.LoginAppService - Attempting openid connect login. No specific site provided.
DEBUG com.tableausoftware.domain.user.openid.OpenIDConnectHelper - username claim not found in ID Token, attempting to retrieve claim from UserInfo Endpoint
DEBUG com.tableausoftware.domain.user.openid.OpenIDConnectHelper - Login attempt. No matching account was found for email: email@example.com or sub: xxxxxxxxxxxxxxxxxxx
However, user's with different domain names can login OK.
Any ideas how to get the logging in to work for the user's of my domain?