Tableau Authentication

Authentication

Authentication establishes a user's identity. Tableau Server has its own user identity and authentication system that lets you determine who can sign in to Tableau Server and who can publish content to the server. This system also allows a personalized user experience for users who access your instance of Tableau Server.
Users sign in to Tableau Server by opening a browser and entering the name or IP address of the server. They are then prompted to enter their username and password:

User identity in Tableau Server

Any user who signs in and works with content in Tableau Server must have a user identity in the Tableau Server repository and must be assigned a site role. User identities can be added to Tableau Server in the server UI, using tabcmd Commands, or using the REST API.
If the server is configured to use local authentication, when you add a user identity, you specify a username, a password and a site role. In that case, the Tableau Server repository is used exclusively to authenticate the user.
If the server is configured to use Active Directory authentication, the username and password is managed in Active Directory. In that case, when users sign in to the server, their username and password is verified using Active Directory.
For more information, see Users.

Single sign-on options for Tableau Server

Tableau Server supports several types of single sign-on (SSO). With SSO, users don't have to explicitly sign in to Tableau Server. Instead, the credentials they've used to authenticate already (for example, by signing in to your corporate network) are used to authenticate them to Tableau Server, and they can skip the step of entering a username and password to access Tableau Server. With SSO, the user's identity as established externally is mapped to a user identity defined in the Tableau Server repository.
Tableau Server supports these types of SSO:

• SAML.You can configure Tableau Server to use SAML (security assertion markup language) for SSO. With SAML, an external identity provider (IdP) authenticates the user's credentials, and then sends a security assertion to Tableau Server that provides information about the user's identity. For more information, see SAML.
• Kerberos. If Kerberos is enabled in your environment and if the server is configured to use Active Directory authentication, you can provide users with access to Tableau Server based on their Windows identities. For more information, see Kerberos.
• Trusted Authentication. Trusted authentication lets you set up a trusted relationship between Tableau Server and one or more web servers. When Tableau Server receives requests from a trusted web server, it assumes that the web server has already handled whatever authentication is necessary. Tableau Server receives the request with a redeemable token or ticket and presents the user with a personalized view which takes into consideration the user’s role and permissions. For more information, see Trusted Authentication.

Authentication for the REST API

The REST API lets you manage and change Tableau Server resources programmatically, via HTTP. In order to make requests to the server, you must programmatically sign in to the server. The server sends an authentication token that you then add to subsequent requests. For more information, see Signing In and Out (Authentication) in hte REST API documentation.