Authentication
Authentication refers to the options for how users can sign in to their Tableau Cloud site, and how they access it after signing in for the first time. Authentication verifies a user’s identity.
Tableau Cloud supports multiple authentication types, which you can configure on the Authentication page.
In addition to the authentication type you configure for your site, multi-factor authentication (MFA) through your SSO identity provider (IdP) is a Tableau Cloud requirement beginning 1st February 2022. If your organisation doesn’t work directly with an SSO IdP, you can use Tableau with MFA authentication to meet the MFA requirement. For more information, see About multi-factor authentication and Tableau Cloud below.
Tableau: This is the built-in and default authentication type, requiring no additional configuration steps before you add users. Tableau credentials (also called TableauID) are made up of username and password, which are stored with Tableau Cloud. Users enter their credentials directly on the Tableau Cloud sign-in page. Beginning 1st February 2022, site admins or other users who authenticate using TableauID must have Tableau with MFA configured. If Tableau with MFA is not configured, users will be prompted to use Tableau with MFA when attempting to sign in based on the Multi-Factor Authentication (MFA) Enforcement Roadmap(Link opens in a new window).
Tableau with MFA: This authentication type uses a combination of 1) TableauID credentials that are comprised of a username and password, which are stored with Tableau Cloud and 2) after a successful TableauID authentication, the user is prompted to respond to an additional verification method before accessing the site. For more information, see Multi-Factor Authentication and Tableau Cloud.
Google: If your organisation uses Google applications, you can enable Tableau Cloud to use Google accounts for single sign-on (SSO) with MFA using OpenID Connect. When you enable Google authentication, users are directed to the Google sign-in page to enter their credentials, which are stored by Google.
Salesforce: If your organisation uses Salesforce, you can enable Tableau Cloud to use Salesforce accounts for single sign-on (SSO) with MFA using OpenID Connect. When you enable Salesforce authentication, users are directed to the Salesforce sign-in page to enter their credentials, which are stored and managed in Salesforce. Minimal configuration may be required. For more information, see Salesforce Authentication.
SAML: Another way to use SSO is through SAML. To do this, use a third-party identity provider (IdP) with MFA, and configure the site to establish a trust relationship with the IdP. When you enable SAML, users are directed to the IdP’s sign-in page, where they enter their SSO credentials, already stored with the IdP.
Notes:
- Access and management permissions are implemented through site roles. Site roles define which users are admins, and which users are content consumers and publishers on the site. For more information about admins, site roles, groups, Guest User and user-related administrative tasks, see Manage Users and Groups and Set Users’ Site Roles.
- In the context of authentication, it’s important to understand that users are not authorised to access external data sources through Tableau Cloud by virtue of having an account. In other words, in the default configuration, Tableau Cloud does not act as a proxy to external data sources. Such access requires additional configuration of the data source on Tableau Cloud or authentication at the data source when a user connects from Tableau Desktop.
About multi-factor authentication and Tableau Cloud
In order to get ahead of the rise and constantly evolving threats that can cripple an organisation, MFA authentication will be a Tableau Cloud requirement beginning 1st February 2022. MFA is an effective tool for enhancing sign-in security and protecting your organisation and its data against security threats. For more information, see the Salesforce Multi-Factor Authentication FAQs(Link opens in a new window) and Multi-Factor Authentication (MFA) Enforcement Roadmap(Link opens in a new window) in the Salesforce Help.
Multi-factor authentication (MFA) is an authentication method to use in conjunction with one of the other authentication methods described above to enhance account security. MFA can be implemented in one of two ways:
SSO and MFA (primary method): To satisfy the MFA requirement, enable MFA with your SSO identity provider (IdP).
Tableau with MFA (alternative method): If you don’t work directly with an SSO IdP, you can instead enable a combination of 1) TableauID credentials, which are stored with Tableau Cloud, and an additional verification method before you and your users can access the site. For more information, see Multi-Factor Authentication and Tableau Cloud.
About Google, Salesforce or SAML
If you enable Google or SAML authentication on your site, you can select which users you want to sign in using external credentials, and which to use Tableau credentials. You can allow TableauID and one external provider on a site, but each user must be set to use one or the other type. You can configure user authentication options on the Users page.
Important: In addition to these authentication requirements described above, we recommend that you dedicate a site administrator account that is configured for Tableau with MFA authentication. In the event of an issue with SAML or the IdP, a dedicated Tableau with MFA account helps ensure that you have access to your site.
Allow direct access from Tableau connected clients
By default, after users provide their credentials to sign in to a site, they can subsequently access the Tableau Cloud site directly from a connected Tableau client. To learn more, see Access Sites from Connected Clients.
Note: Optionally, you might need to add *.salesforce.com if MFA with Tableau authentication is enabled for your site and your environment is using proxies that prevent clients from accessing other necessary services.
Other authentication scenarios: Embedding and integration
You can put analytics directly in your users’ workflows by integrating and embedding Tableau into custom web portals, applications and customer-facing products. For integration of external applications with Tableau Cloud and embedding Tableau Cloud content, there are additional mechanisms to authenticate users who access Tableau depending on the intended workflow:
Embedding with Tableau connected apps:
Direct trust – Tableau connected apps enable a seamless and secure authentication experience by facilitating an explicit trust relationship between your Tableau Cloud site and external applications where Tableau content is embedded. The trust relationship provides your users with a single sign-on (SSO) experience without having to integrate with an identity provider. Using connected apps also enables a programmatic way to authorise access to the Tableau REST API using JSON Web Tokens (JWTs). For more information, see Configure Connected Apps with Direct Trust.
OAuth 2.0 trust – You can register an external authorisation server (EAS) with Tableau Cloud to establish a trust relationship between your site and the EAS using the OAuth 2.0 standard protocol. The trust relationship provides your users with a single sign-on experience (SSO), through your IdP, to embedded Tableau content. In addition, registering an EAS enables a programmatic way to authorise access to the Tableau REST API using JSON Web Tokens (JWTs). For more information, see Configure Connected Apps with OAuth 2.0 Trust.
Salesforce integration: Augment your data analysis through machine learning models and comprehensive statistical analysis using Einstein Discovery. For more information, see Configure Einstein Discovery Integration.
Slack integration: Make Tableau notifications available to licensed Tableau users in their Slack workspace. For more information, see Integrate Tableau with a Slack Workspace.