Authentication
Authentication refers to the options for how users can sign in to their Tableau Cloud site, and how they access it after signing in for the first time. Authentication verifies a user’s identity.
Tableau Cloud supports multiple authentication types, which you can configure on the Authentication page.
This topic is intended for site administrators configuring authentication to a site. For cloud administrators configuring authentication for Tableau Cloud Manager, see Tableau Cloud Manager Authentication.
Regardless of the authentication type you configure for your site, multi-factor authentication (MFA) is required when accessing Tableau Cloud. This contractual requirement went into effect 1 February 2022. For more information, see About multi-factor authentication and Tableau Cloud below.
Tableau with MFA: This is the built-in and default authentication type. It requires users to provide a combination of 1) Tableau credentials (also called TableauID), consisting of a username and password that are stored with Tableau Cloud, and 2) an MFA verification method, such as an authenticator app or security key, to confirm a user's identity. For more information, see Multi-Factor Authentication and Tableau Cloud.
- Tableau: If Tableau hasn't updated your site to require Tableau with MFA yet, you can continue to use this authentication type on a temporary basis. Users enter their TableauID credentials directly on the Tableau Cloud sign-in page.
Google: If your organisation uses Google applications, you can enable Tableau Cloud to use Google accounts for single sign-on (SSO) with MFA using OpenID Connect (OIDC). When you enable Google authentication, users are directed to the Google sign-in page to enter their credentials, which are stored by Google.
OIDC: Another way to use SSO is through generic OpenID Connect (OIDC). To do this, use a third-party identity provider (IdP) with MFA, and configure the site to establish a trust relationship with the IdP. When you enable OIDC, users are directed to the IdP’s sign-in page, where they enter their SSO credentials, already stored with the IdP.
Salesforce: If your organisation uses Salesforce, you can enable Tableau Cloud to use Salesforce accounts for single sign-on (SSO) with MFA using OpenID Connect (OIDC). When you enable Salesforce authentication, users are directed to the Salesforce sign-in page to enter their credentials, which are stored and managed in Salesforce. Minimal configuration may be required. For more information, see Salesforce Authentication.
SAML: Another way to use SSO is through Security Assertion Markup Language (SAML). To do this, use a third-party identity provider (IdP) with MFA, and configure the site to establish a trust relationship with the IdP. When you enable SAML, users are directed to the IdP’s sign-in page, where they enter their SSO credentials, already stored with the IdP.
Notes:
- Access and management permissions are implemented through site roles. Site roles define which users are admins, and which users are content consumers and publishers on the site. For more information about admins, site roles, groups, Guest User and user-related administrative tasks, see Manage Users and Groups and Set Users’ Site Roles.
- In the context of authentication, it’s important to understand that users are not authorised to access external data sources through Tableau Cloud by virtue of having an account. In other words, in the default configuration, Tableau Cloud does not act as a proxy to external data sources. Such access requires additional configuration of the data source on Tableau Cloud or authentication at the data source when a user connects from Tableau Desktop.
To get ahead of the rise and constantly evolving security threats that can cripple an organisation, MFA authentication became a Tableau Cloud requirement beginning 1 February 2022. MFA is an effective tool for enhancing sign-in security and protecting your organisation and its data against security threats. For more information, see the Salesforce Multi-Factor Authentication FAQ(Link opens in a new window) in Salesforce Help.
To enhance account security, multi-factor authentication (MFA) is an authentication method that must be used in conjunction with one of the other authentication methods described above. MFA can be implemented in one of two ways:
SSO and MFA (recommended method): To satisfy the MFA requirement, enable MFA with your SSO identity provider (IdP).
Tableau with MFA (alternative method): If you don’t work directly with an SSO IdP, you can instead enable a combination of 1) TableauID credentials, which are stored with Tableau Cloud, and 2) an additional verification method before you and your users can access the site. We also recommend that users set up recovery codes as a backup verification method for emergency cases only. For more information, see Multi-Factor Authentication and Tableau Cloud.
About Google, OIDC, Salesforce or SAML configurations
If you enable Google, OIDC, Salesforce or SAML authentication on your site, you can select which users you want to sign in using external credentials and which to use Tableau credentials (Tableau ID). You can allow Tableau and one or more external providers configured for a site, but each user must be set to use one or the other type. You can configure user authentication options on the Users page.
Important: In addition to these authentication requirements described above, we recommend that you dedicate a site administrator account that is configured for Tableau with MFA authentication. In the event of an issue with SAML or the IdP, a dedicated Tableau with MFA account helps ensure that you have access to your site.
Notes about configuring additional authentication methods
Beginning in November 2024 (Tableau 2024.3), you can configure one or more authentication methods for your site.
Each authentication configuration requires a name. Existing configurations that were created before November 2024 will be given a name automatically. For example, if SAML was configured for your site before November 2024, the configuration name is "Initial SAML". Names for existing configurations can't be changed.
The maximum number of configurations that a site can have depends on when the site was created and if SAML or OIDC was configured.
For sites created before November 2024 upgrade:
If you configured SAML only or OIDC only before the November 20204 upgrade, you can create up to 19 configurations.
If you configured SAML and then OIDC or OIDC then SAML before the November 2024 upgrade, you can create up to 18 configurations.
For sites created after the November 2024 upgrade, you can create up to 20 configurations.
Note: Configurations can be enabled, disabled and deleted. However, the SAML configuration associated with SCIM can't be disabled or deleted until the SCIM capability has been turned off. For more information about SCIM, see Automate User Provisioning and Group Synchronisation through an External Identity Provider.
Allow direct access from Tableau connected clients
By default, after users provide their credentials to sign in to a site, they can subsequently access the Tableau Cloud site directly from a connected Tableau client. To learn more, see Access Sites from Connected Clients.
Note: Optionally, you might need to add *.salesforce.com if MFA with Tableau authentication is enabled for your site and your environment is using proxies that prevent clients from accessing other necessary services.
Other authentication scenarios: Embedding and integration
You can put analytics directly in your users’ workflows by integrating and embedding Tableau into custom web portals, applications and customer-facing products. For integration of external applications with Tableau Cloud and embedding Tableau Cloud content, there are additional mechanisms to authenticate users who access Tableau depending on the intended workflow:
Embedding with Tableau connected apps:
Direct trust – Tableau connected apps enable a seamless and secure authentication experience by facilitating an explicit trust relationship between your Tableau Cloud site and external applications where Tableau content is embedded. The trust relationship provides your users with a single sign-on (SSO) experience without having to integrate with an identity provider. Using connected apps also enables a programmatic way to authorise access to the Tableau REST API using JSON Web Tokens (JWTs). For more information, see Configure Connected Apps with Direct Trust.
OAuth 2.0 trust – You can register an external authorisation server (EAS) with Tableau Cloud to establish a trust relationship between your site and the EAS using the OAuth 2.0 standard protocol. The trust relationship provides your users with a single sign-on experience (SSO), through your IdP, to embedded Tableau content. In addition, registering an EAS enables a programmatic way to authorise access to the Tableau REST API using JSON Web Tokens (JWTs). For more information, see Configure Connected Apps with OAuth 2.0 Trust.
Salesforce integration: Augment your data analysis through machine learning models and comprehensive statistical analysis using Einstein Discovery. For more information, see Configure Einstein Discovery Integration.
Slack integration: Make Tableau notifications available to licensed Tableau users in their Slack workspace. For more information, see Integrate Tableau with a Slack Workspace.
Other articles in this section
- Multi-Factor Authentication and Tableau Cloud
- Google Authentication
- OpenID Connect
- Salesforce Authentication
- SAML
- Automate User Provisioning and Group Synchronisation through an External Identity Provider
- Use Tableau Connected Apps for Application Integration
- Personal Access Tokens
- Access Sites Directly from Connected Clients