I have no idea but am interested in the question. If you don't get a response you may want to contact Tableau Support. Be sure to keep us updated, this is a really good question!
2 of 2 people found this helpful
Yup, it is a good question.
Different networks won't work unless you somehow make Tableau server available in an extranet environment, but this becomes complex from a secure lockdown nature and it's a whole nother creature.
And currently, TS has a constraint of pointing at one AD domain for the entire cluster. An option that we have explored to open it up to multiple AD domains for SSO is SAML. With this, we pointed SAML at our AD FDS instance, however there was still a constraint that it could only point at one instance. So to get around this, there is the option of using an AD FDS proxy which then handles communication amongst the domains. We have chosen to not go down this path, but are looking at other viable options one of them being GLUU. The problem with GLUU is that it doesn't do pass-thru seamless SSO, but we for the most part have enabled trusted authentication, which GLUU will work with.
One final thought, I have seen some chatter around the forums about Tableau 10 enhancing security to work at a site level (e.g. site 1 can point at domain 1, site 2 can point at domain 2), though I don't have so many details to share.
I also forgot to mention that if a 2-way trust between domains is an option, then definitely proceed down this path. This is by far the simplest, but I easily forgot it because our security team is not allowing it in our deployment.
Thank you for the detailed response. I just heard from Tableau Support and they also recommend SAML + 2-way trust between domains. Why is 2-way trust not allowed in your deployment though? Are there other factors to consider first?
the only factor is the security policy within your company. For us, TS is accessible by both internal employees and external clients (via a proxy and trusted auth). Both user sets live in the same domain, but this needs to change so that the external clients are in their own domain; our security team will not permit a 2-way trust.
1 of 1 people found this helpful
also, I believe if you have a 2-way trust, then you don't really need SAML. Let us know if you find it to be different.