Control Authentication and Access for Tableau Mobile
Supported authentication methods
Tableau Server
Tableau Mobile supports the following authentication methods for Tableau Server.
Method | Considerations for Tableau Mobile |
---|---|
Local (basic) authentication | |
Kerberos |
|
SAML | |
NTLM | |
Mutual SSL |
|
OpenID Connect |
|
For information about configuring these methods, see the Tableau Server Help for Windows(Link opens in a new window) and Linux(Link opens in a new window).
Tableau Cloud
Tableau Mobile supports all three authentication methods for Tableau Cloud.
- Default Tableau method
- Google via OpenID Connect (Sign in with Device Browser must be enabled)
- SAML
For information about configuring these methods, see Authentication(Link opens in a new window) in the Tableau Cloud Help.
Authentication with the device browser
OpenID Connect (including Google) and mutual SSL authentication takes place using the mobile device’s browser (Safari, Chrome). The exchange between the browser and Tableau Mobile is secured by OAuth Proof Key for Code Exchange(Link opens in a new window) (PKCE).
For this authentication to take place, you must enable the Sign in with Device Browser setting, by following the instructions below. The one exception to this requirement is mutual SSL authentication on Android, which requires no configuration changes.
Tableau Server (version 2019.4 or later)
If you use an MDM or MAM system, set the AppConfig parameter, RequireSignInWithDeviceBrowser, to true. Alternatively, Tableau Server users can enable the "Sign in with Device Browser" setting on their individual devices. The AppConfig parameter overrides the user setting.
Tableau Cloud
Set the AppConfig parameter, RequireSignInWithDeviceBrowser, to true. To set AppConfig parameters, you need to deploy the app with an MDM or MAM system. The user setting has no effect for Tableau Cloud, so if you don’t use an MDM or MAM system, you won’t be able to allow Google authentication.
Override the default browser used for authentication
When you configure Tableau Mobile to use the browser for authentication, it uses the default browser for the device: Safari for iOS and Chrome for Android. To enable Conditional Access for Microsoft Intune, you must configure Tableau Mobile to use Microsoft Edge for authentication instead. This requires two AppConfig parameters:
- Set
RequireSignInWithDeviceBrowser
totrue
, to make it so Tableau Mobile uses the browser for authentication. - Set
OverrideDeviceBrowser
toEdge
, to change the browser used to authenticate from the device default to Microsoft Edge. If you change this parameter without requiring sign in with the browser, it will have no effect. For more information, see the AppConfig parameters for Tableau Mobile.
In addition to setting the AppConfig parameters for Tableau Mobile, configure your Microsoft Intune environment as follows:
- If you use Azure App Proxy, it must use passthrough as its preauthentication method.
- The authentication method must be SAML or OpenID.
- The identity provider must be Azure Active Directory.
Temporarily keep users signed in
To temporarily keep Tableau Mobile users signed in, make sure that connected clients are enabled for Tableau Cloud or Tableau Server. If you disable this default setting, users will be required to sign in every time they connect to the server.
Verify the connected clients setting for Tableau Cloud
- Sign in to Tableau Cloud as an administrator.
- Select Settings, and then select the Authentication tab.
- Under Connected Clients, note the Let clients automatically connect to this Tableau Cloud site setting.
For more information, see Access Sites from Connected Clients in Tableau Cloud Help.
Verify the connected clients setting for Tableau Server
- Sign in to Tableau Server as an administrator.
- In the site menu, select Manage All Sites, and then select Settings > General.
- Under Connected Clients, note the Let clients automatically connect to Tableau Server setting.
For more information, see Disable Automatic Client Authentication in Tableau Server Help.
Change how long users remain signed in to Tableau Server
If the connected clients setting isn’t enabled, the length of a session on Tableau Mobile is controlled by Tableau Server limits. If the connected clients setting is enabled, Tableau Mobile uses OAuth tokens to re-establish sessions that hit the Tableau session limit. This automatic re-authentication keeps users signed in as long as the refresh tokens are valid. For this re-authentication to take place, the duration of the refresh tokens must be longer than the Tableau session limit. Otherwise, the user is signed out when the session expires.
Change token values for connected clients
To keep a user signed in, Tableau Mobile sends a refresh token to the authentication system, which then delivers a new access token to the mobile device. You can change how long users remain signed in by adjusting settings for refresh tokens.
In the command-line interface for Tableau Services Manager, set the following options:
- refresh_token.idle_expiry_in_seconds
-
Sets the number of seconds a token can go unused before expiring. The default value of 1,209,600 equals 14 days. Enter a value of -1 to never expire idle tokens.
- refresh_token.absolute_expiry_in_seconds
-
Sets the number of seconds before refresh tokens completely expire. The default value of 31,536,000 equals 365 days. Enter a value of -1 to never expire tokens.
- refresh_token.max_count_per_user
-
Sets the maximum number of refresh tokens that can be issued to each user. The default value is 24. Enter a value of -1 to entirely remove token limits.
To set the options above, use this syntax in the command-line interface:
tsm configuration set -k <config.key> -v <config_value>
.
For example, to limit the number of refresh tokens to 5 per user, you would enter the following:
tsm configuration set -k <refresh_token.max_count_per_user> -v <5>
For more information, see TSM configuration set Options(Link opens in a new window) in Tableau Server Help.
Change session limits for Tableau Server
If you disable connected clients, the session limits for Tableau Server determine the length of a session on Tableau Mobile. These limits don’t affect connected clients, because refresh tokens re-establish the session as long as the tokens are valid. For more information, see Verify session lifetime configuration in Tableau Server Help.
In the command-line interface for Tableau Services Manager, set the following option:
Sets the number of minutes before a Tableau session expires, again requiring sign in. The default value is 240.
Enable app lock for added security
Long-lived authentication tokens allow users to remain signed in, giving them frictionless access to data. However, you might have concerns about this open access to data in Tableau Mobile. Rather than requiring users to sign in more frequently, you can enable app lock to give users a secure yet simple way to access content.
App lock for Tableau Mobile doesn’t authenticate users with Tableau Server or Tableau Cloud; instead, it provides a layer of security for users who are already signed in. When app lock is enabled, users must open the app using the security method they have configured for unlocking their devices. Supported biometric methods are Face ID or Touch ID (iOS) and fingerprint, face, or iris (Android). Supported alternative methods are passcode (iOS) and pattern, pin, or password (Android).
Before you enable app lock
Make sure that the Connected Clients setting for Tableau Server or Tableau Cloud is enabled. For more information, see Temporarily keep users signed in. If you don’t have this setting enabled, users will be required to sign in every time they connect to Tableau Server or Tableau Cloud, eliminating the need for an app lock.
For Tableau Server, you can control precisely how long users remain signed in by adjusting the expiration values for refresh tokens. For more information, see Change how long users remain signed in to Tableau Server. An app lock is intended for use with long-lived tokens, such as those that use the default expiration values.
Note: If your Tableau Server installation uses a reverse proxy server, be aware that your users may need to sign in upon unlocking the app. This is because their reverse proxy tokens expired, but their refresh tokens are still active.
Enable the app lock setting
For Tableau Cloud
- Sign in to Tableau Cloud as an administrator.
- Select Settings, and then select the Authentication tab.
- Under App Lock for Tableau Mobile, check the Enable app lock setting.
For Tableau Server versions 2019.4 and later
- Sign in to Tableau Server as an administrator.
- Navigate to the site for which you want to enable app lock.
- Select Settings.
- Under Tableau Mobile, check the Enable app lock setting.
For Tableau Server versions 2019.3 and earlier
The setting to enable app lock is not available for Tableau Server versions 2019.3 and earlier; however, you can still enable app lock with an AppConfig parameter for MDM and MAM systems. See RequireAppLock in AppConfig keys.
User-enabled app lock
Users can also individually enable app lock for their devices via a setting within the app. However, users can’t disable app lock via this setting if it is enabled by their administrator.
When app lock is enabled
After you enable app lock, users who are signed in will be required to unlock the app when they open it. If users haven’t set up a method to unlock their devices, they will be prompted to do so in order to unlock the app.
If users fail to unlock the app, they will have the option to either try again or log out of Tableau. If users fail to unlock the app after five attempts using a biometric method, or if their devices are not configured for biometrics, they will be prompted to unlock using an alternative method such as a passcode.
Repeated failures to unlock the app using a passcode will result in the user being locked out of the device as a whole, not just the app. The number of attempts before this occurs depends on the device. Further attempts to unlock the device are delayed by increasing amounts of time.
Single sign-on for Tableau Mobile
For single sign-on (SSO) authentication, Tableau Mobile supports SAML and OpenID Connect for all mobile platforms and Kerberos for iOS devices.
SAML
If Tableau Cloud or Tableau Server is configured to use SAML, users are automatically redirected to the identity provider (IdP) for sign-in within Tableau Mobile. However, SAML doesn't relay credentials to other mobile apps using SSO. SAML doesn't require special configuration for mobile devices, except in the case of devices using Microsoft Intune. To enable SAML for Microsoft Intune, see Override the default browser used for authentication.
OpenID Connect
If Tableau Server is configured to use OpenID Connect for authentication, or if Tableau Cloud is configured to use Google (via OpenID Connect), single sign on takes place with the external identity provider (IdP) using the mobile device’s browser. To enable SSO with the browser, see Authentication with the device browser. To enable OpenID Connect specifically for Microsoft Intune, see Override the default browser used for authentication.
Kerberos (iOS and Tableau Server only)
To use Kerberos authentication, devices must be specially configured for your organization. Kerberos configuration is beyond the scope of this document and Tableau Support, but here are some third-party resources to help get you started.
-
Kerberos Single Sign-on for iOS(Link opens in a new window) on the Sam's Tech Notes blog
-
Mobile Single Sign On from iOS to SAP NetWeaver(Link opens in a new window) on the SAP Community Network
-
The Configuration Profile Key Reference(Link opens in a new window) in the iOS Developer Library
When you set up a configuration profile, you'll need the URLs used to access your Tableau server. For the URLPrefixMatches key, if you decide to list the URL strings explicitly, include URLs with all protocol options and the appropriate port numbers.
-
If your servers use SSL, your URLs should use the https protocol and the server’s fully qualified domain name. One of the URLs also should specify port 443.
For example, enter
https://fully.qualifed.domain.name:443/
andhttps://servername.fully.qualified.domain.name/
-
If your users access your Tableau server by specifying only the local server name, you should also include those variations.
For example, enter
http://servername/
andhttp://servername:80/
Note: Signing out doesn't clear Kerberos tickets on a device. If stored Kerberos tickets are still valid, anyone using a device can access the server and site a user last signed in to, without providing credentials.
Make it easy for users to switch sites on Tableau Cloud
The site switcher on Tableau Mobile allows users to switch between the different Tableau sites that they have access to, without needing to sign out of the current site and in to the target site. For users to be able to switch between sites on Tableau Cloud without needing to re-enter their credentials, certain conditions must be met.
- The user’s Tableau session and the identity provider session are still active on the target site.
- The Sign in with Device Browser setting is enabled. For more information, see Authentication with the device browser.
When users select a site to switch to, the app redirects to the device’s browser to verify the session with the identity provider and then switches to the target site. If the session on the target site has expired, or if the Sign in with Device Browser setting isn’t enabled, users must re-enter their credentials.
You can increase the likelihood that a user’s session is still active by setting a longer session time and by enabling the Connected Clients setting. For more information about connected clients, see Access Sites from Connected Clients
Note: Tableau Server users don’t need to re-enter their credentials to switch between sites that belong to the same server instance.