3 Replies Latest reply on Mar 7, 2016 2:14 PM by lindy.eberhart.0

    How to manage users in a SAML configuration


      Quick background - within our system, there are 8 institutions.  Each institution has their own IT division and own AD domain.  We would like all the institutions to be able to use a single Tableau server.  Each institution will then be given their own site on the server.  Since their are 8 different ADs, we are looking to use SAML for authentication.


      • If we can't connect multiple ADs, do we have to check "local authentication" during configuration?


      • If so, do we have to enter users into Tableau server manually in order for those users to authenticate?


      For example, only certain users from institution ABC and only certain users from institution XYZ will be allowed access the ABC and XYZ site in Tableau server respectively.  To ensure only those users have access to their appropriate sites, do I enter the users into server and then allow SAML to handle the auth?  By using SAML, user passwords will not be stored in Tableau server, correct?


      I supposed my question is really related more towards authorization.  (I'm new to this and trying to make sense of it prior to configuring it with our IT team.  Please bear with me.)

        • 1. Re: How to manage users in a SAML configuration

          Hi Kate,


          If there is no two-way trust between the Tableau Server domain and the domains of the users, then yes: you will need to use local authentication to add users. Importing them from Active directory will not work. If you would like to import them via Active Directory, a two-way trust would need to be established between the Tableau Server domain and the domains of the AD users.


          The rest of my answer will assume that establishing a two-way trust is not possible in your scenario.


          • RE: local auth. Since you do not have two-way trust between domains you will need to use Local Authentication. I would advise using domain\username or username@domain for the usernames to avoid collisions (for example, jsmith@domain instead of jsmith). It is crucial to note that the IdP must send both the domain and username for a user in this case (as the username attribute), and these must match the user exactly in Tableau Server. These can be sent either as domain\username or username@domain.
          • RE: Manual adding of users. It is possible to script the add users command either through the tabcmd utility or through the REST API. This would require scripting knowledge from your IT team. Otherwise yes, you would need to manually add these users. Here are the reference guides for scripting the Tableau Server add users command:
          • RE: authorization. Only users added to the Tableau Server itself will be able to access content (workbooks, views, data sources). In other words, if the user has an account on your SAML IdP but has not been added as a user on Tableau Server they will not be able to access Tableau Server.
          • RE: password storage in Tableau Server. When creating a local user in Tableau Server you must specify a password. However, since you are using SAML the password stored on Tableau Server will not be used. Your SAML IdP will validate the users password.


          I hope this helps!

          3 of 3 people found this helpful
          • 2. Re: How to manage users in a SAML configuration
            Jeff Strauss

            is there any way to add a local user with AD still being enabled?

            • 3. Re: How to manage users in a SAML configuration

              Hi Jeffrey,


              Currently mixed mode authentication (local and AD auth) is not supported in Tableau Server. There is an ideas forum on this topic though - please vote it up if you would like to see this functionality built in!

              Tableau Server: Mixed authentication methods


              Changing the authentication mode from Active Directory to Local involves re-installing the Tableau Server. The full instructions can be found here:

              Modifying Tableau Server Authentication Method | Tableau Software


              Hope that helps!

              1 of 1 people found this helpful