Philip - Did you get answers to your questions?
3 of 3 people found this helpful
Best practices would say that you should run 2 separate instances of server. This will provide the least amount of risk and would be the easiest deployment.
With that said, Tableau has made some strides to make it possible to deploy on a single server.
The next best approach would likely be Site Specific SAML which was introduced in 10.0. Site SAML will NOT work with AD but will work with Local Authentication. Each external site could leverage its own SAML idP and maintain its own users which is a nice benefit. This solution also works for Desktop, Mobile and Browser to the Server. The tradeoff here is that you cannot leverage AD (maybe later).
To answer your question about ADs, Tableau can leverage and sync users from multiple AD domains. The sync would require some coding and I believe, there are vendors like One Login that can federate multiple domains externally. As of 10.0 (again I believe) this only requires 1-way trust where the internal server does the trusting and the external is the trusted.
I believe there are additional ways to accomplish this via Kerberos and/or Open ID connect but both come with limitations.
Again, the best practice would be 2 separate servers. This keeps things simple, your internal use case stays 100% behind a firewall with no external trust and your external use case can reside in the DMZ via Reverse Proxy.
Hope this helps! You can likely Google most of what I mentioned but there's not a single whitepaper that covers everything. The best bet for that would be to listen to the following session from TC16:
We (Conversant) have much of what you mention in reference to sharing of a Tableau Server for internal and external. But, it's arduous and takes quite a bit of work.
- trusted auth
- 1-way trust
- reverse proxy to a load balancer that is external facing
- load balancer rules
- separate sites
I realize this post is a bit old but I wanted to ask if you're using AD and Trusted Authentication(TA) in parallel for your respective user groups?
I'm in the process of planning a deployment that's likely going to serve both internal and external users. External users will authenticate from a cloud app into a company hosted app that will render Tableau embedded dashboards via TA. Separately there's an internal group of users we'd like to authenticate via AD. Reading your post made it seem this may be more headache than its worth, would you say that's true?
Thanks in advance,