Authentication refers to the options for how users can sign in to their Tableau Cloud site, and how they access it after signing in the first time. Authentication verifies a user’s identity.
Tableau Cloud supports multiple authentication types, which you can configure on the Authentication page.
In addition to the authentication type you configure for your site, multi-factor authentication (MFA) through your SSO identity provider (IdP) is a Tableau Cloud requirement beginning February 1, 2022. If your organization doesn’t work directly with an SSO IdP, you can use Tableau with MFA authentication to meet the MFA requirement. For more information, see About multi-factor authentication and Tableau Cloud below.
Tableau: This is the built-in and default authentication type, requiring no additional configuration steps before you add users. Tableau credentials (also called TableauID) are made up of user name and password, which are stored with Tableau Cloud. Users enter their credentials directly on the Tableau Cloud sign-in page. Beginning February 1, 2022, site admins or other users who authenticate using TableauID must have Tableau with MFA configured. If Tableau with MFA is not configured, users will be prompted to use Tableau with MFA when attempting to sign in based on the Multi-Factor Authentication (MFA) Enforcement Roadmap(Link opens in a new window).
Tableau with MFA: This authentication type uses a combination of 1) TableauID credentials that are comprised of a user name and password, which are stored with Tableau Cloud, and 2) after a successful TableauID authentication, the user is prompted to respond to an additional verification method before accessing the site. For more information, see Multi-Factor Authentication and Tableau Cloud.
Google: If your organization uses Google applications, you can enable Tableau Cloud to use Google accounts for single sign-on (SSO) with MFA using OpenID Connect. When you enable Google authentication, users are directed to the Google sign-in page to enter their credentials, which are stored by Google.
Salesforce: If your organization uses Salesforce, you can enable Tableau Cloud to use Salesforce accounts for single sign-on (SSO) with MFA using OpenID Connect. When you enable Salesforce authentication, users are directed to the Salesforce sign-in page to enter their credentials, which are stored and managed in Salesforce. Minimal configuration may be required. For more information, see Salesforce Authentication.
SAML: Another way to use SSO is through SAML. To do this, you use a third-party identity provider (IdP) with MFA, and configure the site to establish a trust relationship with the IdP. When you enable SAML, users are directed to the IdP’s sign-in page, where they enter their SSO credentials, already stored with the IdP.
In order to get ahead of the rise and constantly evolving threats that can cripple an organization, MFA authentication will be a Tableau Cloud requirement beginning February 1, 2022. MFA is an effective tool for enhancing sign-in security and protecting your organization and its data against security threats. For more information, see the Salesforce Multi-Factor Authentication FAQ(Link opens in a new window) and Multi-Factor Authentication (MFA) Enforcement Roadmap(Link opens in a new window) in the Salesforce Help.
Multi-factor authentication (MFA) is an authentication method to use in conjunction with one of the other authentication methods described above to enhance account security. MFA can be implemented in one of two ways:
SSO and MFA (primary method): To satisfy the MFA requirement, enable MFA with your SSO identity provider (IdP).
Tableau with MFA (alternative method): If you don’t work directly with an SSO IdP, you can instead enable a combination of 1) TableauID credentials, which are stored with Tableau Cloud, and an additional verification method before you and your users can access the site. For more information, see Multi-Factor Authentication and Tableau Cloud.
About Google, Salesforce, or SAML
If you enable Google or SAML authentication on your site, you can select which users you want to sign in using external credentials, and which to use Tableau credentials. You can allow TableauID and one external provider on a site, but each user must be set to use one or the other type. You can configure user authentication options on the Users page.
Important: In addition to these authentication requirements described above, we recommend that you dedicate a site administrator account that is configured for Tableau with MFA authentication. In the event of an issue with SAML or the IdP, a dedicated Tableau with MFA account helps ensure that you have access to your site.
Allow direct access from Tableau connected clients
By default, after users provide their credentials to sign in to a site, they can subsequently access the Tableau Cloud site directly from a connected Tableau client. To learn more, see Access Sites from Connected Clients.
Note: Optionally, you might need to add
*.salesforce.com if MFA with Tableau authentication is enabled for your site and your environment is using proxies that prevent clients from accessing other necessary services.