Access Sites Directly from Connected Clients

Access Sites from Connected Clients

By default, Tableau Cloud allows users to access their sites directly from a Tableau client. It allows this access after the user provides credentials the first time they sign-in from the client. A client in this case is a Tableau application or service that can exchange information with Tableau Cloud. Examples of Tableau clients include Tableau Desktop, Tableau Prep Builder, Tableau Bridge, and Tableau Mobile.

Tableau Cloud establishes a connected client by creating a secure refresh token that uniquely identifies a user when the user signs in from the client.

Connected client requirement for Tableau Bridge

The default connected client option must remain enabled for the site to allow Tableau Bridge clients to run unattended and, if enabled, support multi-factor authentication with Tableau authentication. If connected clients are disabled for the site, Bridge can only support Tableau user name and password authentication.

Note: If multi-factor authentication (MFA) is enabled with Tableau authentication, Bridge clients must be running Tableau Bridge version 2021.1 and later. For more information about Tableau with MFA, see About multi-factor authentication and Tableau Cloud(Link opens in a new window).

About refresh token expiration

The connected client sessions are managed by refresh tokens. A refresh token is generated after a successful sign-in to Tableau Cloud from the connected client. If the refresh token has not been used in 14 days, then it expires. After the refresh token has expired, a new sign-in to Tableau Cloud from the connected client is required.

If a refresh token is being used regularly, their expiration period depends on when a site was activated. Refresh tokens generated on sites activated in June 2023 (Tableau 2023.2) or later expire after 180 days. Refresh tokens generated on all other sites expire after one year.

After a refresh token has expired, the user must sign in from the connected client to reestablish an authenticated connection to Tableau Cloud.

Opt out of allowing connected clients

Site admins can turn off this functionality, to require users to sign in explicitly each time they visit Tableau Cloud.

Opting out of allowing connected clients is recommended if SAML is enabled on your site, and you want to ensure that users do not have access to Tableau Cloud when they are removed from the IdP’s SAML directory.

Sign in to Tableau Cloud with your site admin credentials.
Select Settings, and then select the Authentication tab.
Under Connected clients, clear the Let clients automatically connect to this Tableau Cloud site check box.

If you opt out of connected clients, keep the following points in mind:

Some clients provide a Remember Me check box, which users can select to remember their user name. Users always need to provide their password.
For sites configured for single sign-on using SAML authentication, users have direct access to the site after they sign in the first time. They can do this if they do not sign out explicitly by selecting the Sign Out link.

Remove a user’s connected clients

Site admins can remove connected clients (refresh tokens) associated with a particular user, for example, if the user is no longer a member of the site or is seeing a message about exceeding the maximum number of clients in their account.

Select Users, and on the Site Users page, select the link on the user's display name.
On the user's page, select the Settings tab.
In the Connected clients section, remove the appropriate clients.

Users also can go to their own My Account Settings page to remove specific clients.

Monitor refresh token usage

If you have Tableau Cloud with Advanced Management, you can use Activity Log to monitor refresh token usage. Events in the Activity Log that capture refresh token usage include, but not limited to: issue token, redeem token, and revoke token. For more information about these events, see Activity Log Event Type Reference.