Provision and Authenticate Users Using Identity Pools
Introduced in Tableau Server version 2023.1, identity pools are an identity management tool that uses provisioning and authentication information to enable user access to Tableau Server. Identity pools enable a more centralized and flexible identity management workflow built on the Identity Service(Link opens in a new window) for the storage and management of user identities in Tableau Server.
Identity pools do not replace the user provisioning and authentication configurations you make using Tableau Services Manager (TSM) during Tableau Server setup. Instead, identity pools are designed to complement and support additional user provisioning and authentication options you might need in your organization, particularly for organizations where TSM is configured with Active Directory (AD) or Lightweight Directory Access Protocol (LDAP). Identity pools add an alternative method, after Tableau Server setup, that supports Tableau Server administrators to add users, who are often external users, partners, or contractors, to your Tableau Server deployment.
Identity pools are optimized for the following use cases:
External users: A large enterprise organization who doesn't want to add external users to their internal AD.
For example, suppose your organization has two types of employees: regular employees and contract employees. Your regular employees are provisioned through Active Directory (AD) with SAML authentication that is managed through your IdP, Okta. Your contract employees consist of users who are typically assigned temporary group membership or are a part of another organization who provisions users outside of AD and authenticates separately. Identity pools can enable you to add Tableau Server users who are external to your AD.
Multiple identity stores: An organization hosting SaaS applications that sources users from multiple identity stores.
For example, suppose your organization shares Tableau content to multiple external organizations from a single site. You can separate these users using different identity pools configured with local identity stores to more easily identify and manage the users from each organization.
Security boundaries between internal organizations: An organization of multiple acquired child organizations with distinct security boundaries.
For example, you can add users from the newly added organization to an identity pool configured with a local identity store to workaround the complexities associated with combining identity stores.
What are identity pools?
An identity pool has three main components: an identity store to provision users, OpenID Connect (OIDC) authentication, and assigned users.
Identity store: The identity store(Link opens in a new window) that you source or provision your users can be a local identity store or an external identity store.
If a local identity store, an identity pool can be configured to use an existing or new local identity store. If an external identity store, an identity pool can use AD or LDAP. However, an identity pool must use the same external identity store you configured in TSM during Tableau Server setup. You can't configure an identity pool to use a different external identity store.
The provisioning and authentication configurations you make in TSM during Tableau Server setup is referred to as the default or “initial pool (TSM configured).”
Authentication: The only supported authentication method for an identity pool is OIDC(Link opens in a new window).
Users: In order for users to sign in to Tableau Server, they must either be sourced from the initial pool (TSM configured) or be a member of at least one identity pool.
When to use identity pools
As a Tableau Server administrator, you can use an identity pool to segment your users into identity cohorts based on where your users are provisioned from and how those users authenticate into Tableau Server. Though the identity store and authentication configurations you make in TSM during Tableau Server setup, also referred to as the initial pool (TSM configured), remains unchanged, identity pools are configurable from Tableau Server.
Note: Identity pools are currently available for server-level configuration only. Identity pools can’t be scoped to a site.
More about identity pools
Initial pool (TSM configured) versus identity pools
As noted above, the combination of provisioning and authentication configurations you make in TSM during Tableau Server setup is referred to as the “initial pool (TSM configured)”. The initial pool (TSM configured) is a required component of the Tableau Server setup process and cannot be modified.
An identity pool, however, is optional and you can create as many identity pools as needed from Tableau Server directly.
Identity pools impact on users' sign-in experience
By default, when no identity pools are created for Tableau Server, there is no change to how your users navigate to the Tableau Server landing page and sign in to Tableau Server.
When one or more identity pools are created, the Tableau Server landing page displays multiple sign-in options. The primary sign-in option is displayed at the top of the page and is the way your users that belong to the initial pool (TSM configured) can sign in.
Below the primary sign-in option are the secondary sign-in options. Each option represents an identity pool, displayed in the order they were created. Users assigned to those pools must sign in using the option for the identity pool they belong to. To help guide your users to the correct sign-in option, consider adding a description to the identity pool when creating one.
Note: All users will see all pools that are configured for your Tableau Server, regardless of their pool membership.
Usernames and identifiers in Tableau
A username is the information that represents the system user. An identifier is used to supplement the username information and can be used by external identity stores as alternatives to usernames.
In Tableau, a username is an immutable value that is used to sign in to Tableau and identifiers are mutable values used in Tableau’s identity structure as a way to match users to their usernames. Identifiers enable Tableau to be more flexible because they can deviate from the username. If there are changes to the username in the external identity store, Tableau Server administrators can update the identifier to ensure users are matched to the correct usernames.
When you add an existing user to an identity pool, you might expect the ability to set an identifier. For example, if an existing user belongs to an identity pool configured with a local identity store and you want to add them to an identity pool configured with an AD identity store, we ask you to provide the username to search for identifiers associated with that user. On the other hand, if an existing user belongs to an identity pool configured with an AD identity store and you want to add them to an identity pool configured with a local identity store, we ask you to provide an optional identifier. An exception to this is if you want to add a user to the initial pool (TSM configured) that's configured with a local identity store and local authentication. You will be unable to set an identifier for that user.