Authentication and Authorization
To Understand how various login method that tableau server supports. We need to understand two basic concept:
- Authentication is the process of ascertaining that somebody really is who he claims to be.
- Authorization refers to rules that determine who is allowed to do what
Let’s put these 2 big words in tableau context. Tableau can use various authentication method, local authention, AD, SAML,OpenID etc. These are ways to let tableau server determine who you are. After user is authenticated. Tableau server then decide what resource can be accessed by that user.
In other words, whichever method you choose to authenticate users. it manages only how to validate somebody really is who he claims to be. And Determine who is allowed to do what is always managed by tableau server.
Local Authentication VS Active Directry
When you install Tableau Server, you must select the process that the server will use to manage user authentication: local authentication or Active Directory. Before you install Tableau Server, you should understand how these two options impact your overall authentication strategy.
After this configuration is complete, you cannot change the authentication method. In fact, to change this configuration, you must uninstall the server, delete the configuration on the computer, and then reinstall the server.
Use local authentication if any of the following are true:
- Your organization does not manage users with Active Directory
- You do not want to use Active Directory
- You want to use SAML/OpenID for authentication and single sign-on
Use Active directory if following is true:
If you are already using Active Directory to manage users in your organization, then we recommend selecting Active Directory authentication during Tableau setup to make user provisioning and management easier.
Create SSO experience
Both local authentication and active directory can create experience that user don’t have to explicitly sign in to Tableau Server. Instead, the credentials they’ve used to authenticate already are used to authenticate them to Tableau Server, and they can skip the step of entering a username and password to access Tableau Server.
| Local Authentication | Active Directory |
| SAML | SAML |
| OpenID | Integrated Windows Authentication |
| Kerberos |
SSO supported by local authentication
- SAML: With SAML, an external identity provider (IdP) authenticates the user’s credentials, and then sends a security assertion to Tableau Server that provides information about the user’s identity
- OpenID: OpenID Connect is a standard authentication protocol that lets users sign in to an identity provider (IdP) such as Google. After they’ve successfully signed in to their IdP, they are automatically signed in to Tableau Server
SSO supported by active directory
- SAML Same as above
- Integrated Windows Authentication: Automatic logon uses Microsoft SSPI to sign in your users based on their Windows username and password. Users are not prompted for credentials, which creates an experience similar to single sign-on (SSO).
- Kerberos If Kerberos is enabled in your environment and if the server is configured to use Active Directory authentication, you can provide users with access to Tableau Server based on their Windows identities.
Great read. I shared this on my LinkedIn and my audience loved it!
Keep up the good work. 🙂