Authentication and Authorization
This content is part of Tableau Blueprint—a maturity framework allowing you to zoom in and improve how your organization uses data to drive impact. To begin your journey, take our assessment(Link opens in a new window).
Tableau provides the comprehensive features and deep integration to address all aspects of enterprise security. For more information, see Tableau Server Platform Security and Tableau Server Security Hardening Checklist (Windows | Linux) or Tableau Cloud Security in the Cloud.
Identity Store
Tableau Server requires an identity store (Windows | Linux) to manage user and group information. There are two kinds of identity stores: local (Tableau Server) and external (Active Directory, LDAP). When you install Tableau Server you must configure either a local identity store or an external identity store. For information about configuration options for the identity store, see identityStore Entity.
When you configure Tableau Server with a local identity store, all user and group information is stored and managed in the Tableau Server Repository. In the local identity store scenario, there is no external source for users and groups. Note: Changing the identity store after server installation requires a full uninstall and reinstall.
When you configure Tableau Server with an external store, all user and group information is stored and managed by an external directory service. Tableau Server must synchronize with the external identity store so that local copies of the users and groups exist in the Tableau Server Repository, but the external identity store is the master source for all user and group data. When users sign in to Tableau Server, their credentials are passed to the external directory, which is responsible for authenticating the user (Windows | Linux). Tableau Server does not perform this authentication; however, the Tableau user names stored in the identity store are associated with rights and permissions for Tableau Server. After authentication is verified, Tableau Server manages user access (authorization) for Tableau resources.
Authentication
Authentication verifies a user's identity. Everyone who needs to access Tableau Server or Tableau Cloud—whether to manage the server or site, or to publish, browse, or administer content—must be represented as a user in the Tableau Server identity store or provisioned as a Tableau Cloud user. The method of authentication may be performed by Tableau Server or Tableau Cloud (local authentication), or authentication may be performed by an external process. In the latter case, you must configure Tableau Server for external authentication protocols such as Active Directory, OpenLDAP, SAML, or OpenID or configure Tableau Cloud for Google or SAML.
Authentication in Tableau Cloud
Tableau Cloud supports the following authentication types, which you can configure on the Authentication page. For more information, see Tableau Cloud Authentication.
- Tableau: This is the default authentication type, available on all sites, requiring no additional configuration steps before you add users. Tableau credentials are made up of username and password, which are stored with Tableau Cloud. Users enter their credentials directly on the Tableau Cloud sign-in page.
- Google: If your organization uses Google applications, you can enable Tableau Cloud to use Google accounts for single sign-on (SSO) via OpenID Connect. When you enable Google authentication, users are directed to the Google sign-in page to enter their credentials, which are stored by Google.
- SAML: Another way to use SSO is through SAML. To do this, you use a third-party identity provider (IdP), and configure the site to establish a trust relationship with the IdP. When you enable SAML, users are directed to the IdP’s sign-in page, where they enter their SSO credentials, already stored with the IdP.
Tableau Cloud Multi-Factor Authentication Requirement
In addition to the authentication type you configure for your site, multi-factor authentication (MFA) through your SSO identity provider (IdP) is a Tableau Cloud requirement beginning February 1, 2022. If your organization doesn’t work directly with an SSO IdP, you can use Tableau with MFA authentication to meet the MFA requirement. For more information, see About multi-factor authentication and Tableau Cloud.
Authentication in Tableau Server
The table below shows which Tableau Server authentication methods are compatible with which identity stores.
|
Authentication Method |
Local Authentication |
AD/LDAP |
|---|---|---|
|
SAML |
Yes |
Yes |
|
Kerberos |
No |
Yes |
|
Mutual SSL |
Yes |
Yes |
|
OpenID |
Yes |
No |
|
Trusted Authentication |
Yes |
Yes |
Active Directory & OpenLDAP
In this scenario, Tableau Server must be installed in a domain in Active Directory. Tableau Server will sync user and group metadata from Active Directory to the identity store. You do not have to manually add users. However, after the data is synchronized, you will need to assign site and server roles. You can assign these individually, or at the group level. Tableau Server does not synchronize any data back to Active Directory. Tableau Server manages content and server access according to the site role permission data is stored in the Repository.
If you are already using Active Directory to manage users in your organization, you must select Active Directory authentication during Tableau setup. For example, by synchronizing Active Directory groups, you can set minimum site role Tableau permissions for users that are synchronized in the groups. You can synchronize specific Active Directory groups, or you can synchronize them all. For more information, see Synchronize All Active Directory Groups on the Server. Be sure to review User Management in Active Directory Deployments to understand how multiple domains, domain naming, NetBIOS, and Active Directory user name format influence Tableau user management.
You can also configure Tableau Server to use LDAP as a generic way to communicate with the identity store. For example, OpenLDAP is one of several LDAP server implementations with a flexible schema. Tableau Server can be configured to query the OpenLDAP server. See Identity Store. Authentication in this scenario maybe be provided by the native LDAP solution, or with a single sign-on solution. The diagram below shows Tableau Server with Active Directory/OpenLDAP authentication.
SAML
SAML (Security Assertion Markup Language) is an XML standard that allows secure web domains to exchange user authentication and authorization data. You can configure Tableau Server and Tableau Cloud to use an external identity provider (IdP) to authenticate users over SAML 2.0.
Tableau Server and Tableau Cloud support both service provider initiated and IdP initiated SAML in browsers and in the Tableau Mobile app. Connections from Tableau Desktop require that the SAML request must be service provider initiated. No user credentials are stored with Tableau Server or Tableau Cloud, and using SAML enables you to add Tableau to your organization’s single sign-on environment. User authentication through SAML does not apply to permissions and authorization for Tableau Server or Tableau Cloud content, such as data sources and workbooks. It also does not control access to underlying data that workbooks and data sources connect to.
For Tableau Server, you can use SAML server-wide, or you can configure Tableau Server sites individually. Here’s an overview of those options:
- Server-wide SAML authentication. A single SAML IdP application handles authentication for all Tableau Server users. Use this option if your server has only the Default site.
In addition, if you want to use Tableau Server site-specific SAML, you must configure Tableau Server-wide SAML before you configure individual sites. Tableau Server-side SAML does not need to be enabled for Tableau Server site-specific SAML to function, but it must be configured.
- Server-wide local authentication and site-specific SAML authentication. In a multi-site environment, users who are not enabled for SAML authentication at the site level can sign in using local authentication.
- Server-wide SAML authentication and site-specific SAML authentication. In a multi-site environment, all users authenticate through a SAML IdP configured at the site level, and you specify a server-wide default SAML IdP for users that belong to multiple sites.
For more information, see SAML (Windows | Linux). The diagram below shows Tableau Server with SAML authentication.
To configure SAM for Tableau Cloud, see the following requirements:
- Identity provider (IdP) requirements for Tableau configuration
- SAML compatibility notes and requirements
- Using SAML SSO in Tableau client applications
- Effects on Tableau Bridge of changing authentication type
- XML data requirements
NOTE: In addition to these requirements, we recommend that you dedicate a Tableau Cloud Site Administrator account that is always configured for Tableau authentication. In the event of an issue with SAML or the IdP, a dedicated TableauID account ensures that you always have access to your Tableau Cloud site.
Trusted Tickets
If you embed Tableau Server views into webpages, everyone who visits the page must be a licensed user on Tableau Server. When users visit the page, they are prompted to sign in to Tableau Server before they can see the view. If you already have a way of authenticating users on the webpage or within your web application, you can avoid this prompt and save your users from having to sign in twice by setting up trusted authentication.
Trusted authentication simply means that you have set up a trusted relationship between Tableau Server and one or more web servers. When Tableau Server receives requests from these trusted web servers it assumes that your web server has handled whatever authentication is necessary.
If your web server uses SSPI (Security Support Provider Interface), you do not need to set up trusted authentication. You can embed views and your users will have secure access to them as long as they are licensed Tableau Server users and members of your Active Directory (Windows | Linux). The diagram below shows Tableau Server with Trusted Tickets.
Mutual SSL
Using mutual SSL, you can provide users of Tableau Desktop and other approved Tableau clients a secure, direct-access experience to Tableau Server. With mutual SSL, when a client with a valid SSL certificate connects to Tableau Server, Tableau Server confirms the existence of the client certificate and authenticates the user, based on the user name in the client certificate. If the client does not have a valid SSL certificate, Tableau Server can refuse the connection. You can also configure Tableau Server to fall back to username/password authentication if mutual SSL fails.
Authorization
Authorization refers to how and what users can access on Tableau Server or Tableau Cloud after authentication has been verified. For more information, see Governance in Tableau. Authorization includes:
- What users are allowed to do with content hosted on Tableau Server or Tableau Cloud, including projects, sites, workbooks, and views.
- What users are allowed to do with the data sources that are managed by Tableau Server or Tableau Cloud.
- What tasks users are allowed to perform to administer Tableau Server or Tableau Cloud, such as configuring server or site settings, running command line tools, and other tasks.
Authorization is managed within Tableau Server and Tableau Cloud. It is determined by a combination of the user's license level (Tableau Creator, Tableau Explorer, Tableau Viewer), site role, and permissions associated with specific entities such as workbooks and data sources. The project team should work together to define the permissions model. Tableau Server and/or Site Administrators or Tableau Cloud Site Administrator will assign permission rules to groups, and lock them to the project. Custom permissions allow more granularity in permissions—from accessing or downloading a data source to how a user interacts with published content.
Tableau’s intuitive interface makes it easy to associate users to functional groups, assign permissions to the groups, and see who has access to which content. You can create groups locally on the server or import from Active Directory and synchronize on a set schedule. The permissions view also helps business users manage their own users and groups. For more information, see Set-up Permissions Quick Start, Configure Projects, Groups, and Permissions for Managed Self-Service, and Permissions Reference.