Resolve Identity Migration Conflicts
During the identity migration, Tableau Server might encounter certain user identities that can’t be migrated to use the Identity Service. When user identities can’t be migrated, they become identity conflicts that require you, the administrator, to manually resolve them.
To ensure that user identities are migrated correctly, you must resolve or address all identity conflicts before the identity migration can complete, using the dedicated Identity Migration page.
Step 1: Resolve identity conflicts
You can resolve identity conflicts in a few ways depending on the conflict type. Regardless of the conflict type, all user identities must be resolved or addressed before you can proceed to Step 2 below and before the identity migration process can complete.
When identity conflicts occur, the identity migration will group the conflicts into types. These types help narrow down the reason why the migration is unable to migrate the user identity automatically.
There are a few reasons why identity conflicts can occur. For example, you might see an identity conflict when the migration has identified a Tableau Server user that matches more than one user identity in the external identity store.
When identity conflicts are identified, you can address them using one of the following options:
Retry Migration - This option moves the selected user identities back into the queue to be migrated again. After the migration jobs have run again, it’s possible that the identity conflicts will resolve on their own, the original identity conflicts will occur again or new identity conflicts will occur.
Acknowledge - This option moves the selected user identities to the Acknowledged tab. When you acknowledge user identities, you understand that 1) those users don’t have matching user identities in an identity store and will therefore not be migrated, and 2) those users will be unable to sign in to Tableau Server after you enable the Identity Service in Step 3 below.
Reevaluate - When conflicts have already been acknowledged, from the Acknowledged tab, this option moves the selected user identities back to their conflict state. This option gives you the chance to see the original conflict, resolve the conflict or acknowledge the identity conflict again.
Quick reference: Identity conflicts
Conflict type | Applies to configuration | Conflict reason | Action |
All failures | All | This tab captures all identity conflicts categorised in the No matches, Ambiguous, Duplicate, Not local and Unknown tabs. | Retry Migration or Acknowledge |
No matches | AD, LDAP | The user identities have no matching users in the external identity store. | Retry Migration or Acknowledge |
Ambiguous | AD, LDAP | For the specified user identities, there is more than one possible match in the external identity store. | Retry Migration, Acknowledge or select one of the suggested user identities |
Duplicate | AD | Two user identities were created using one AD account. This is an artefact of legacy functionality that is not supported in the Identity Service. | Retry Migration or Acknowledge |
Not local | Local | User identities that are associated with an identity store that is not local. This conflict occurs because manual changes were made that are not supported. | Retry Migration or Acknowledge |
Unknown | All | This conflict might indicate an internal Tableau Server error or an identity conflict caused by a reason not listed in this table. | Retry Migration or Acknowledge |
Acknowledged | All | This tab captures all user identities that will not be migrated. Those users will not be able to sign in to Tableau Server after Tableau Server is configured to use the Identity Service. | Retry Migration or Acknowledge |
To resolve a conflict, follow the steps below.
Sign in to Tableau Server as an administrator.
From the left navigation pane, select Users (or All Sites > Users for a multi-site Tableau Server) and then click the Identity Migration page.
Select one or more user identities in the All Failures tab or in one of the conflict-specific tabs.
From the Actions drop-down menu, click Retry Migration or Acknowledge.
If you select “Retry Migration”, the user identities might generate different conflict types. In this case, address the conflicts as needed until the All failures tab displays "0" like in the image below.
Note: User identities that are acknowledged are ignored in Active Directory (AD) and LDAP group syncs moving forward. If users associated with these users’ identities require access to Tableau Server at a later time, see Troubleshoot Issues with the Identity Migration(Link opens in a new window) for more information.
Step 2: Complete the identity migration
To complete the identity migration, in addition to all identity conflicts being resolved or addressed, all migration jobs have to run before you can enable the Identity Service for Tableau Server.
Do one of the following:
To run the identity migration jobs now, next to the Migration Overview heading, click on the Edit Schedule drop-down arrow, and then select Run Now.
- Alternatively, you can wait for the migration to run during the next scheduled time.
From the Identity Migration page, validate that the Migration Overview displays 100% complete.
Step 3: Configure Tableau Server to use the Identity Service
After the identity migration is complete, configure Tableau Server to use the Identity Service to ensure a more secure and immutable identity structure for the user provisioning and authentication process.
- Open a command prompt as an administrator on the initial node (where TSM is installed) in the cluster.
Run the following commands:
tsm authentication legacy-identity-mode disable
tsm pending-changes apply
Note: After running the commands above, the dedicated Identity Migration page is removed and no longer accessible. The page is accessible only when
tsm authentication legacy-identity-mode
is enabled.
After Tableau Server is configured to use the Identity Service, when users sign in to Tableau Server, Tableau Server searches for their user identities using their identifiers in the configured identity store. From the identifiers, the universal unique identifiers (UUID) are returned and used to match existing Tableau Server user identities. This process then generates sessions for the users and completes the authentication workflow.