7 Replies Latest reply on Apr 20, 2015 7:49 AM by Toby Erkson

    Help understanding Authentication model.

    Lazy Rambler



      I have read through Tableau's online help and am confused about the authentication models.


      We are presently using Local authentication and plan to integrate it with SAML.


      I believer\e SAML is added over local/AD.


      How does local authentication with SAML work ? Do we have to keep adding users in Tableau Server all the time? Or does Tableau server get all the users from the IdP?


      How do you provide Authorization ? Like access to different workbooks etc? Do we have to do it manually for every user irrespective of the authentication we use? (Local/AD)

        • 1. Re: Help understanding Authentication model.
          Toby Erkson

          I only know about Active Directory (AD) and you wanted to know a little more about it so with that in mind...


          People still must be added to the Tableau Server individually.  If they exist in your company's AD then they are added to the Server otherwise they cannot be added and thus cannot log in to the Server.  Naturally you can use the tabcmd addusers for bulk loading.


          A nice thing about AD is groups.  If there are a bunch of people who need access to the Server and they all happen to be in the same AD group then you can directly import that group from within Server by going to Groups and clicking the Import link:


          Here is where you would enter in the AD group name or as much of it as you know and using a wildcard (as I show):

          Once you select the specific group (only one at a time) it will display in the Import text box.  Click the Import button and that AD group will become a Tableau user Group of the same name AND it will import all of the users within it.  You would then need to assign licensing & rights accordingly.  Some info on that here: Does tabcmd syncgroup now truly sync?  v8.3.2


          The nice thing is that you can then select the imported AD group at anytime and perform a Syncronize (or use the tabcmd sync) to import newly added AD users within that group and remove those no longer in it (a true sync):


          This is AD authentication at a non-detailed level, so just keep that in mind.


          active_directory group_import ad_import tabcmd_syncgroup

          • 2. Re: Help understanding Authentication model.
            Toby Erkson

            Lazy Rambler wrote:



            1)  if you had AD and then integrated it with an IdP for single sign on, how would the authentication/authorization work?


            2)  Do you have to add all the users in AD to IdP and vice versa? Do you go into each user manually in the Tableau server and give authorzation to the workbooks only they have to see.


            3) if you had AD and then integrated it with an IdP for single sign on, how would the authentication/authorization work?


            4) Do you have to add all the users in AD to IdP and vice versa? Do you go into each user manually in the Tableau server and give authorzation to the workbooks only they have to see.

            I'll probably delete these two posts to remove the clutter which deviates from the original post.


            2)  Yes, you have to add users to the Server even though they are present in AD.  You are adding the user to the Tableau Server but authenticating via AD.  How exactly this process works I do not know.


            3)  I'm not sure what you mean by "...integrated it with an ldP for single sign on..." as you can only have AD or Local Authentication.


            1) and 4)  Are you asking how to take current AD and convert it to ldP?  If so, I do not know but that is a really good question!  Just guessing here but maybe exporting the user info and put it into the .csv format that tabcmd can use.  Re-install Tableau Server for ldP and then import the user list via tabcmd.  If I'm understanding correctly, that is


            Pinging Matthew Lutton because I think he uses Local authentication so, if he does, maybe he can shed some light on this...?

            • 3. Re: Help understanding Authentication model.
              Toby Erkson

              I guess I should mention that if you are not getting the answers you're looking for then you should contact Tableau Support and ask them, then post back here your final solution/answer.  I've always had quick and good support with Tableau Support.

              • 4. Re: Help understanding Authentication model.
                Vikram Bandarupalli

                I personally used SAML but used Local Auth and AD. However, i'm taking a educated guess based on my experience with Tableau Server and AD


                To begin with, there are two aspects what tableau server does,

                - Authentication

                  When a user access a workbook/View URL or logs into the tableau, tableau server(wgserver.exe) makes sure if the users requesting access is a valid user or not. If the user is valid - server authenticates the users. Else, it generates an error saying 'Not a valid users'

                - Authorization

                This will only happen if the user in Authentication is a valid user. Based on the user security( which groups, sites, kind of access etc) user is shown the relevant content.



                Tableau server provides few ways to authenticate user. SAML is a 3rd party used access the industry to authenticate the users for an application. SAML does only the authentication but NOT authorization( This is done in Tableau Server).


                Part of setting up SAML requires setting up an IDP with external identity provider. Examples PingFederate, OpenAM, Siteminder etc..You can setup to sync your Active Directory to one of these chosen the external providers.


                If you're using local Authentication, you still have to add users into tableau server. If you're using AD, you can sync the groups into tableau sever as Toby Erkson suggested.

                If you configure SAML and you used AD/local then,

                Authentication is done by SAML

                Authorization is done by Tableau server( that's the reason you need to have users present on tableau server)


                This link should help you provide your more details on the workflow, How SAML Authentication Works


                Hope this help to a certain extent.




                • 5. Re: Help understanding Authentication model.
                  Matt Lutton

                  I agree with what Vikram and Toby have written thus far -- whatever path you choose will require some leg work, and my experience has been painful with using local authentication. Painful just means it requires time, effort, maintenance, and perhaps most of all, documentation of what you're doing each step of the way.


                  I also agree that contacting support@tableausoftware.com is a good idea in situations like this. The last thing you want to do is get halfway down the chosen path, only to realize what you've chosen is not going to work in all the ways you set out for it to.


                  Best of luck!

                  • 6. Re: Help understanding Authentication model.
                    Lazy Rambler

                    Thanks Vikram Bandarupalli , Toby and Matt


                    I kind of understand a little now.


                    So, if I'm using SAML with Local Authentication, I have to add all the users in Tableau Server. Do the names in SAML and Tableau Server have to be same ?



                    I will do some leg work research and then if we still do not quite get it, will contact Tableau people and will get back to you guys if I find anything new.


                    EDIT: To contact Tableau people, is it just that we have to create a case in our customer portal ? That's it ? And they can answer any question, if it's not already present ? (Sorry, total noob here)

                    • 7. Re: Help understanding Authentication model.
                      Toby Erkson

                      If you have a customer portal then, yes, go that route, definitely!  That's how I do it.