4 Replies Latest reply on Oct 30, 2017 12:05 PM by Nick Heigerick

    Tableau server access for Internal and external users

    Philip George



      I have one set of users who are internal to the organization and another set of users external to the organization.


      Can anyone help me with the best practice to authenticate the both internal and external users with the Tableau server.


      Couple of questions I have is below.

      • Can we have external and internal  user authentication using a single Tableau server or do we need to go with a separate servers for external and internal users?
      • Can we create AD for external users and add internal users AD and external users AD in the single server while configuring?
      • Is there any other ways to authenticate the external users without AD authentication.


      Thanks in advance.




        • 1. Re: Tableau server access for Internal and external users

          Philip - Did you get answers to your questions?




          • 2. Re: Tableau server access for Internal and external users
            Kevin Taylor


            Best practices would say that you should run 2 separate instances of server. This will provide the least amount of risk and would be the easiest deployment.

            With that said, Tableau has made some strides to make it possible to deploy on a single server.


            The next best approach would likely be Site Specific SAML which was introduced in 10.0. Site SAML will NOT work with AD but will work with Local Authentication. Each external site could leverage its own SAML idP and maintain its own users which is a nice benefit. This solution also works for Desktop, Mobile and Browser to the Server. The tradeoff here is that you cannot leverage AD (maybe later).


            Another solution could be to leverage Trusted Tickets/Trusted Authentication via a web server. In this case you could use the Javascript API to create a custom web application that would trust your URL and would then check your local or AD user store for the content authorization. Content could be maintained safely via separate sites.


            To answer your question about ADs, Tableau can leverage and sync users from multiple AD domains. The sync would require some coding and I believe, there are vendors like One Login that can federate multiple domains externally. As of 10.0 (again I believe) this only requires 1-way trust where the internal server does the trusting and the external is the trusted.


            I believe there are additional ways to accomplish this via Kerberos and/or Open ID connect but both come with limitations.


            Again, the best practice would be 2 separate servers. This keeps things simple, your internal use case stays 100% behind a firewall with no external trust and your external use case can reside in the DMZ via Reverse Proxy.


            Hope this helps! You can likely Google most of what I mentioned but there's not a single whitepaper that covers everything. The best bet for that would be to listen to the following session from TC16:


            Security & Your Growing Tableau Deployment




            3 of 3 people found this helpful
            • 3. Re: Tableau server access for Internal and external users
              Jeff Strauss

              We (Conversant) have much of what you mention in reference to sharing of a Tableau Server for internal and external.  But, it's arduous and takes quite a bit of work.

              - trusted auth

              - 1-way trust

              - reverse proxy to a load balancer that is external facing

              - load balancer rules

              - separate sites

              - javascript api

              • 4. Re: Tableau server access for Internal and external users
                Nick Heigerick



                I realize this post is a bit old but I wanted to ask if you're using AD and Trusted Authentication(TA) in parallel for your respective user groups?


                I'm in the process of planning a deployment that's likely going to serve both internal and external users. External users will authenticate from a cloud app into a company hosted app that will render Tableau embedded dashboards via TA. Separately there's an internal group of users we'd like to authenticate via AD. Reading your post made it seem this may be more headache than its worth, would you say that's true?


                Thanks in advance,