Local Authentication

If the server is configured to use local identity store, then Tableau Server authenticates users. When users sign-in and enter their credentials, either through Tableau Desktop, tabcmd, API or web client, Tableau Server verifies the credentials. Tableau user names stored in the identity store are associated with rights and permissions for Tableau Server. After authentication is verified, Tableau Server manages user access (authorisation) for Tableau resources.

To use local authentication, you must configure Tableau Server with a local identity store during Setup. You cannot use local authentication if your Tableau Server has been configured with an external identity store (LDAP, Active Directory, etc).

Note: Identity pools, which is a tool designed to complement and support additional user provisioning and authentication options you might need in your organisation, supports OpenID Connect (OIDC) authentication only. For more information, see Provision and Authenticate Users Using Identity Pools.

Password storage

When local authentication is used, the user’s salted and hashed password is stored in the repository. Passwords are never stored directly, rather, the result of salting and hashing the password is stored. Server uses the PBKDF2 derivation function with the HMAC SHA512 hashing function.

Configure password settings

After you install Tableau Server with local authentication, you can use Tableau Server Manager (TSM) to configure a number of password-related settings:

  • Password policies: these policies define the requirement for password structure, such as length, character types and other requirements.

  • Password expiration: enable and specify password expiry.

  • Login rate limit: Tableau Server throttles the time between sign-in attempts after users enter 5 incorrect passwords. Users will need to wait a few seconds before attempting another sign-in. If users continue to enter incorrect passwords, then they must wait for exponentially longer periods of time in between sign-in attempts. By default, the maximum time between sign-in attempts is 60 minutes.

    Lock out account access after too many failed attempts. You can specify how many failed attempts users are allowed to enter before they are locked out. For information on how to unlock access to a locked account, see View and manage users on a site.

  • User password reset: Enable users to reset passwords. Enabling password reset will configure Tableau Server to display a link on the sign-in page. Users who forget passwords or want to reset a password can click the link to initiate a reset-password workflow. Password reset must be configured using TSM CLI, as described below.

  1. Open TSM in a browser:

    https://<tsm-computer-name>:8850. For more information, see Sign in to Tableau Services Manager Web UI.

  2. Click on User Identity & Access on the Configuration tab and then click Authentication Method.

  3. Select Local authentication from the drop-down menu to display the password settings.

  4. Configure the password settings and then click Save Pending Changes.

  5. Click Pending Changes at the top of the page:

  6. Click Apply Changes and Restart.