Authentication verifies a user's identity. Everyone who needs to access Tableau Server—whether to manage the server, or to publish, browse, or administer content—must be represented as a user in the Tableau Server repository. The method of authentication may be performed by Tableau Server (“local authentication”), or authentication may be performed by an external process. In the latter case, you must configure Tableau Server for external authentication technologies such as Kerberos,
Looking for Tableau Server on Linux? See Authentication(Link opens in a new window).
Although all user identities are ultimately represented and stored in the Tableau Server repository, you must manage user accounts for Tableau Server in an identity store. There are two, mutually exclusive, identity store options: LDAP and local. Tableau Server supports arbitrary LDAP directories, but it's been optimized for Active Directory LDAP implementation. Alternatively, if you are not running an LDAPdirectory, you can use the Tableau Server local identity store. For more information see Identity Store.
As shown in the following table, the type of identity store you implement, in part, will determine your authentication options.
| Identity Store | Authentication Mechanism | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Basic | SAML | Site SAML | Kerberos | (Windows only) Automatic Logon (Microsoft SSPI) | OpenID Connect | Connected Apps | Trusted Auth | Mutual SSL | |
| Local | X | X | X | X | X | X | X | ||
| Active Directory | X | X | X | X | X | X | X | ||
| LDAP | X | X | X | X | X | ||||
Access and management permissions are implemented through site roles. Site roles define which users are administrators, and which users are content consumers and publishers on the server. For more information about administrators, site roles, groups, Guest User, and user-related administrative tasks, see Users and Site Roles for Users.
Note: In the context of authentication, it’s important to understand that users are not authorized to access external data sources through Tableau Server by virtue of having an account on the server. In other words, in the default configuration, Tableau Server does not act as a proxy to external data sources. Such access requires additional configuration of the data source on Tableau Server or authentication at the data source when the user connects from Tableau Desktop.
Add-on authentication compatibility
Some authentication methods can be used together. The following table shows authentication methods that can be combined. Cells marked with an "X" indicate a compatible authentication set. Blank cells indicate incompatible authentication sets.
| Connected Apps | Trusted Authentication | Server-wide SAML | Site SAML | Kerberos | (Windows only) Automatic Logon (Microsoft SSPI) | Mutual SSL | OpenID Connect | |
| Tableau Connected Apps | N/A | X | X | X | X | X | ||
| Trusted Authentication | N/A | X | X | X | X | X | ||
| Server-wide SAML | X | X | N/A | X | ||||
| Site SAML | X | X | X | N/A | ||||
| Kerberos | X | X | N/A | |||||
| Automatic Logon (Microsoft SSPI) | N/A | |||||||
| Mutual SSL | X | X | N/A | |||||
| OpenID Connect | X | X | N/A | |||||
| Personal Access Token (PAT) | * | * | * | * | * | * | * | * |
* PATs, by design, do not work directly with the authentication mechanism listed in these columns to authenticate to the REST API. Instead, PATs use Tableau Server user account credentials to authenticate to the REST API.
Client authentication compatibility
Authentication handled through a user interface (UI)
| Clients | Authentication Mechanism | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Basic | SAML | Site SAML | Kerberos | (Windows only) Automatic Logon (Microsoft SSPI) | OpenID Connect | Connected Apps | Trusted Auth | Mutual SSL | Personal Access Token (PAT) | |
| Tableau Desktop | X | X | X | X | X | X | X | |||
| Tableau Prep Builder | X | X | X | X | X | X | X | |||
| Tableau Mobile | X | X | X | X (iOS only *) | X ** | X | X | |||
| Web Browsers | X | X | X | X | X | X | X *** | X | X | |
* Kerberos SSO isn't supported for Android, but a fall back to user name and password is possible. For more information, see Note 5:Android platform.
** SSPI is not compatible with the Workspace ONE version of the Tableau Mobile app.
*** In embedding workflows only.
Authentication handled programmatically
| Clients | Authentication Mechanism | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Basic | SAML | Site SAML | Kerberos | (Windows only) Automatic Logon (Microsoft SSPI) | OpenID Connect | Connected Apps | Trusted Auth | Mutual SSL | Personal Access Token (PAT) | |
| REST API | X | X | X | |||||||
| tabcmd 2.0 | X | X | ||||||||
| tabcmd | X | |||||||||
Local authentication
If the server is configured to use local authentication, then Tableau Server authenticates users. When users sign-in and enter their credentials, either through Tableau Desktop, tabcmd, API, or web client, Tableau Server verifies the credentials.
To enable this scenario, you must first create an identity for each user. To create an identity, you specify a username and a password. To access or interact with content on the server, users must also be assigned a site role. User identities can be added to Tableau Server in the server UI, using tabcmd Commands, or using the REST API(Link opens in a new window).
You can also create groups in Tableau Server to help manage and assign roles to large sets of related user groups (e.g., “Marketing”).
When you configure Tableau Server for local authentication, you can set password policies and account lockout on failed password attempts. See Local Authentication.
Note:Tableau with multi-factor (MFA) authentication is available for Tableau Cloud only.
External authentication solutions
Tableau Server can be configured to work with a number of external authentication solutions.
NTLM and SSPI
If you configure Tableau Server to use Active Directory during installation, then NTLM will be the default user authentication method.
When a user logs onto Tableau Server from Tableau Desktop or a web client, the credentials are passed through to Active Directory, which then verifies them and sends an access token to Tableau Server. Tableau Server will then manage user access to Tableau resources based on the site roles stored in the repository.
If Tableau Server is installed on a Windows computer in Active Directory, they you may optionally enable automatic logon. In this scenario, Tableau Server will use Microsoft SSPI to automatically sign in your users based on their Windows username and password. This creates an experience similar to single sign-on (SSO).
Do not enable SSPI if you plan to configure Tableau Server for SAML, trusted authentication, a load balancer, or for a proxy server. SSPI is not supported in these scenarios. See tsm authentication sspi <commands>.
Kerberos
You can configure Tableau Server to use Kerberos for Active Directory. See Kerberos.
SAML
You can configure Tableau Server to use SAML (security assertion markup language) authentication. With SAML, an external identity provider (IdP) authenticates the user's credentials, and then sends a security assertion to Tableau Server that provides information about the user's identity.
For more information, see SAML.
OpenIDConnect
OpenID Connect (OIDC) is a standard authentication protocol that lets users sign in to an identity provider (IdP) such as Google. After they've successfully signed in to their IdP, they are automatically signed in to Tableau Server. To use OIDC on Tableau Server, the server must be configured to use the local identity store. Active Directory or LDAPidentity stores are not supported with OIDC. For more information, see OpenID Connect.
Mutual SSL
Using mutual SSL, you can provide users of Tableau Desktop, Tableau Mobile, and other approved Tableau clients a secure, direct-access experience to Tableau Server. With mutual SSL, when a client with a valid SSL certificate connects to Tableau Server, Tableau Server confirms the existence of the client certificate and authenticates the user, based on the username in the client certificate. If the client does not have a valid SSL certificate, Tableau Server can refuse the connection. For more information, see Configure Mutual SSL Authentication.
Connected apps
Direct trust
Tableau connected apps enable a seamless and secure authentication experience by facilitating an explicit trust relationship between your Tableau Server site and external applications where Tableau content is embedded. Using connected apps also enables a programmatic way to authorize access to the Tableau REST API using JSON Web Tokens (JWTs). For more information, see Use Tableau Connected Apps for Application Integration.
EAS or OAuth 2.0 trust
You can register an external authorization server (EAS) with Tableau Server to establish a trust relationship between your Tableau Server and an EAS using the OAuth 2.0 standard protocol. The trust relationship provides your users with single sign-on experience, through your IdP, to embedded Tableau content. In addition, registering an EAS enables a programmatic way to authorize access to the Tableau REST API using JSON Web Tokens (JWTs). For more information, see Configure Connected Apps with OAuth 2.0 Trust.
Trusted authentication
Trusted authentication (also referred to as "Trusted tickets") lets you set up a trusted relationship between Tableau Server and one or more web servers. When Tableau Server receives requests from a trusted web server, it assumes that the web server has already handled whatever authentication is necessary. Tableau Server receives the request with a redeemable token or ticket and presents the user with a personalized view which takes into consideration the user’s role and permissions. For more information, see Trusted Authentication.
LDAP
You can also configure Tableau Server to use LDAPfor user authentication. Users are authenticated by submitting their credentials to Tableau Server, which will then attempt to bind to the LDAP instance using the user credentials. If the bind works then the credentials are valid and Tableau Server grants the user a session.
“Binding” is the handshake/authentication step that happens when a client tries to access an LDAP server. Tableau Server does this for itself when it makes various non-authentication related queries (such as importing users and groups).
You can configure the type of bind you want Tableau Server to use when verifying user credentials. Tableau Server supports GSSAPI and simple bind. Simple bind passes credentials directly to the LDAP instance. We recommend that you configure SSL to encrypt the bind communication. Authentication in this scenario maybe be provided by the native LDAP solution, or with an external process, like SAML.
For more information about planning for and configuring LDAP, see Identity Store and External Identity Store Configuration Reference.
Other authentication scenarios
-
REST API: Signing In and Out (Authentication)(Link opens in a new window)
Note: REST API does not support SAML single-sign (SSO).
-
Mobile device authentication: Single sign-on for Tableau Mobile(Link opens in a new window)
-
Certificate trust for TSMclients: Connecting TSMclients
Data access and source authentication
You can configure Tableau Server to support a number of different authentication protocols to various different data sources. Data connection authentication may be independent of Tableau Server authentication.
For example, you may configure user authentication to Tableau Server with local authentication, while configuring OAuth or SAML authentication to specific data sources. See Data Connection Authentication.
