Editor’s Note: Huge thanks to Robin Cottiss who helped me navigate the world of authentication in Tableau as he has for so many years to be able to write this. He doesn’t have the same online presence as a lot of other Tableau wizards but I can’t say how much of my and others Tableau knowledge that is out there has either been guided by or just a straight repackaging of the hard-gained work Robin has put in.
When embedding Tableau vizes for external use, the three most common SSO mechanisms are Trusted Authentication, SAML, and OpenID Connect (OIDC).
Trusted Authentication or Trusted Tickets has two modes, which are set as server-level flags:
- Restricted (default): A user can only see Vizes, and cannot see the full Tableau Server UI.
- Unrestricted: Redeeming the ticket creates a full session to Tableau Server, and the user can see the full Tableau Server UI
SAML and OpenID Connect always create a full session, so they work like Unrestricted Tickets.
Additionally, Restricted Trusted Tickets (the default Trusted Authentication mode) also disables:
- Custom Views
- Subscriptions
- Alerts
- Other interactions with Web Edit, Ask Data, etc.
Many customers would prefer to have a session started with any of the three SSO mechanisms, that allows all the Viz features, but doesn’t let the user ever get to the full Tableau Server UI. Is it possible?
(more…)