SAML Login Fails With "User account not found" Error After Upgrading Tableau Server

Perform the following steps to ignore the user domain matching.  The flag set in Step 3 is only available starting with the upgraded versions listed in Step 1.  Please see the Additional Information section of this article to understand if this solution will be the correct one for your organization.

1. Upgrade to Tableau Server 2021.4.21+, 2022.1.17+, 2022.3.9+, or 2023.1.5 and higher versions if your version is one of the affected versions.  

Beginning in Tableau Server versions 2021.4.21, 2022.1.17, 2022.3.9, and 2023.1.5, you can configure Tableau Server to ignore the domain portion of the username attribute when matching the identity provider (IdP) user name to a user account on Tableau Server. For example, the username attribute in the IdP might be alice@example.com to match a user named alice in Tableau Server. Ignoring the domain portion of the username attribute might be useful if you already have users defined in Tableau Server that match the prefix portion of the username attribute but not the domain portion of the username attribute. 

2. Change to the legacy identity store mode when Identity Service is enabled.
Identity Service is enabled if the following parameter value is false.

tsm configuration get -k wgserver.authentication.legacy_identity_mode.enabled

Run the following commands to enable legacy identity store.

tsm authentication legacy-identity-mode enable

3. Set the following parameter to ignore the domain portion of the username attribute.

tsm configuration set -k wgserver.ignore_domain_in_username_for_matching -v true
tsm pending-changes apply