Control authentication and access for Tableau Mobile

Supported authentication methods

With Tableau Online, the Tableau Mobile app supports authentication either via the default Tableau method or SAML. The default method doesn't require any setup. To set up SAML, see Authentication in Tableau Online Help.

With Tableau Server, Tableau Mobile supports local authentication by the server, or external authentication via Active Directory, SAML, or Kerberos (iOS only). To set up authentication, see Tableau Server Help for Windows and Linux.

Temporarily keep users signed in

To temporarily keep Tableau Mobile users signed in, make sure that connected clients are enabled for Tableau Online or Tableau Server. If you disable this default setting, users will be required to sign in every time they connect to the server.

Verify the connected clients setting for Tableau Online

  1. Sign in to Tableau Online as an administrator.
  2. Select Settings, and then select the Authentication tab.
  3. Under Connected Clients, note the Let clients automatically connect to this Tableau Online site setting.

Verify the connected clients setting for Tableau Server

  1. Sign in to Tableau Server as an administrator.
  2. In the site menu, click Manage All Sites, and then click Settings > General.
  3. Under Connected Clients, note the Let clients automatically connect to Tableau Server setting.

Change how long users remain signed in to Tableau Server

To keep a user signed in, Tableau Mobile sends a refresh token to the authentication system, which then delivers a new access token to the mobile device. You can change how long users remain signed in by adjusting settings for refresh tokens.

In the command-line interface for Tableau Services Manager, set the following options:

refresh_token.idle_expiry_in_seconds

Sets the number of seconds a token can go unused before expiring. The default value of 1,209,600 equals 14 days. Enter a value of -1 to never expire idle tokens.

refresh_token.absolute_expiry_in_seconds

Sets the number of seconds before refresh tokens completely expire. The default value of 31,536,000 equals 365 days. Enter a value of -1 to never expire tokens.

refresh_token.max_count_per_user

Sets the maximum number of refresh tokens that can be issued to each user. The default value is 24. Enter a value of -1 to entirely remove token limits.

wgserver.session.idle_limit

Sets the number of minutes before a Tableau session expires, again requiring sign in. The default value is 240.

To set the options above, use this syntax in the command-line interface:

tsm configuration set -k <config.key> -v <config_value>.

For example, to limit the number of refresh tokens to 5 per user, you would enter the following:

tsm configuration set -k <refresh_token.max_count_per_user> -v <5>

For more information, see TSM configuration set options in Tableau Server Help.

Enable app lock for added security

Long-lived authentication tokens allow users to remain signed in, giving them frictionless access to data. However, you might have concerns about this open access to data in Tableau Mobile. Rather than requiring users to sign in more frequently, you can enable app lock to give users a secure yet simple way to access content.

App lock for Tableau Mobile doesn’t authenticate users with Tableau Server or Tableau Online; instead, it provides a layer of security for users who are already signed in. When app lock is enabled, users must open the app using the security method they have configured for unlocking their devices. Supported biometric methods are Face ID or Touch ID (iOS) and fingerprint (Android). Supported alternative methods are passcode (iOS) and pattern, pin, or password (Android).

Before you enable app lock

Make sure that the Connected Clients setting for Tableau Server or Tableau Online is enabled. For more information, see Temporarily keep users signed in. If you don’t have this setting enabled, users will be required to sign in every time they connect to Tableau Server or Tableau Online, eliminating the need for an app lock.

For Tableau Server, you can control precisely how long users remain signed in by adjusting the expiration values for refresh tokens. For more information, see Change how long users remain signed in to Tableau Server. An app lock is intended for use with long-lived tokens, such as those that use the default expiration values.

Note: If your Tableau Server installation uses a reverse proxy server, be aware that your users may need to sign in upon unlocking the app. This is because their reverse proxy tokens expired, but their refresh tokens are still active.

Enable the setting

For Tableau Online

  1. Sign in to Tableau Online as an administrator.
  2. Select Settings, and then select the Authentication tab.
  3. Under App Lock for Tableau Mobile, check the Enable app lock setting.

For Tableau Server versions 2019.4 and later

  1. Sign in to Tableau Server as an administrator.
  2. Navigate to the site for which you want to enable app lock.
  3. Select Settings.
  4. Under Tableau Mobile, check the Enable app lock setting.

For Tableau Server versions 2019.3 and earlier

The setting to enable app lock is not available for Tableau Server versions 2019.3 and earlier; however, you can still enable app lock with an enterprise mobile device management solution, such as Microsoft Intune or BlackBerry Dynamics. See RequireAppLock in App configuration parameters for MDM systems .

User-enabled app lock

Users can also individually enable app lock for their devices via a setting within the app. However, users can’t disable app lock via this setting if it is enabled by their administrator.

Tableau Mobile settings screen

When app lock is enabled

After you enable app lock, users who are signed in will be required to unlock the app when they open it. If users haven’t set up a method to unlock their devices, they will be prompted to do so in order to unlock the app.

If users fail to unlock the app, they will have the option to either try again or log out of Tableau. If users fail to unlock the app after five attempts using a biometric method, or if their devices are not configured for biometrics, they will be prompted to unlock using an alternative method such as a passcode.

Repeated failures to unlock the app using a passcode will result in the user being locked out of the device as a whole, not just the app. The number of attempts before this occurs depends on the device. Further attempts to unlock the device are delayed by increasing amounts of time.

Single sign-on for Tableau Mobile

For single sign-on (SSO) authentication, Tableau Mobile supports SAML for all mobile platforms and Kerberos for iOS devices.

SAML

If Tableau Online or Tableau Server is configured to use SAML, users are automatically redirected to the identity provider (IdP) for sign-in within Tableau Mobile. That's all there is to it—SAML doesn't require any special configuration for mobile devices. However, SAML doesn't relay credentials to other mobile apps using SSO.

Kerberos (iOS and Tableau Server only)

To use Kerberos authentication, devices must be specially configured for your organization. Kerberos configuration is beyond the scope of this document and Tableau Support, but here are some third-party resources to help get you started.

When you set up a configuration profile, you'll need the URLs used to access your Tableau server. For the URLPrefixMatches key, if you decide to list the URL strings explicitly, include URLs with all protocol options and the appropriate port numbers.

  • If your servers use SSL, your URLs should use the https protocol and the server’s fully qualified domain name. One of the URLs also should specify port 443.

    For example, enter https://fully.qualifed.domain.name:443/ and https://servername.fully.qualified.domain.name/

  • If your users access your Tableau server by specifying only the local server name, you should also include those variations.

    For example, enter http://servername/ and http://servername:80/

Note: Signing out does not clear Kerberos tickets on a device. If stored Kerberos tickets are still valid, anyone using a device can access the server and site a user last signed in to, without providing credentials.

Thanks for your feedback! There was an error submitting your feedback. Try again or send us a message.