Authentication and Single Sign-On

In most embedding scenarios, you will want to enable single sign-on so that the users that are signed in to your application do not have to also sign in to Tableau Server. There are a few ways to enable single sign-on to Tableau Server.

Note: This page discusses users logging in to Tableau Server. Related, but separate, is the issue of user management in which you ensure all relevant users are registered with Tableau Server.

The guidance for which single sign-on option to use is:

Trusted Authentication

Trusted authentication is, unlike the above options, a piece of functionality specific to Tableau Server. It allows you to trust specific machines to authenticate users on their behalf. Because the authentication happens with simple HTTP requests, it is the most versatile of the single sign-on options and can be used to integrate with, essentially, all other authentication systems.

The Trusted Authentication documentation is a good resource for getting up and running, but below is a summary of the three steps in the trusted authentication workflow:

  1. Configuration: This is a one-time step where you configure Tableau Server to ‘trust’ specific ip addresses, which will then be allowed to authenticate users. The machines to trust are usually the machines running your web application. [Details]
  2. POST Request: When the user navigates to a page in your web application that contains Tableau content, the web application will make a server-side POST request to Tableau Server passing in the users’s Tableau Server username, the site the content exists on, and, optionally, the client’s ip address in the form data. If the ip address making the request is trusted, and the user exists in Tableau Server, Tableau Server will return a ticket. [Details]
  3. Client loads the view with the ticket: Your web application now instructs the client to load the url of the desired resource, with the ticket inserted. If the ticket is valid, Tableau Server will start a session for the user and the user will see the visualization. Of course, the user does not see the HTTP requests going on behind the scenes, but simply loads a page in your application and sees embedded Tableau content without having to signin. [Details]

Additional considerations:

Kerberos, Active Directory, SAML, and OpenID

Next section: User Management, Content Management & Display with the REST API