Embedding Tableau Server Dashboards into a Website without Prompting for Credentials

Answer

There are two contexts, described as A and B below, where credentials can be requested when opening a view in Tableau Server. Both need to be addressed to ensure no prompt for username or password credentials occurs inside an embedded view.

A. Tableau Server User Credentials

Tableau Server must be able to authenticate the viewer of an embedded Tableau Server view as a valid Tableau Server user before allowing the user to open the embedded view. This can result in a login screen being presented. There are several options to prevent this:

1. Use Guest user access

If Tableau Server uses a core-based license, a Guest User can be enabled which would allow any viewer to access an embedded view with the permissions authorized to the Guest User account without requiring login credentials.

Note that Guest User will be used first on embedded views where the Guest User has permissions to open the view. For example, if Automatic Login for Active Directory is enabled, a user opening an embedded view will be authenticated as the Guest User, and not with Integrated Windows Authentication. To use Integrated Windows Authentication, permissions need to be set to deny viewing for the Guest User on that view. For further details, see Guest User.

2. Use Trusted Authentication

Tableau Server provides a mechanism to request and redeem authentication tickets for a user and a view in situations where a web server is handling user authentication. This requires third-party cookies to be enabled on the user's browser.

Note that Safari disables these by default. See Trusted Authentication for details on how to configure this feature.

3. Use one of Tableau Server's Single Sign-On Options

If a Single Sign-On feature has been implemented, then a user can be authenticated by Tableau Server without requiring a Tableau Server login screen. IdP logins may be presented. See Authentication for details.

A note for SAML and OpenID Connect

The default behavior when embedding a view using SAML or OpenID Connect authentication is to display a "Sign in to <Server Name>" button in the frame. Clicking this button will open a new window where authentication with the IdP will then happen. If the button is not desired, either use a different solution like Guest User or Trusted Authentication, or, if the IdP supports in-frame authentication, one can do the following to suppress the button:

Note: Enabling this ability requires disabling Clickjack protection, introducing an increased exposure to clickjacking attacks.

For OpenID Connect:

Open a command prompt as an Administrator on the computer where Tableau Server is installed.
Navigate to the Tableau Server bin directory.
Execute the following commands:
- tabadmin set wgserver.openid.iframed_idp.enabled true
- tabadmin restart
For more information, see the https://onlinehelp.tableau.com/current/server/en-us/tabadmin.htm

For Server-Wide SAML:

Open a command prompt as an Administrator on the computer where Tableau Server is installed.
Navigate to the Tableau Server bin directory.
Execute the following commands:
- tabadmin set wgserver.saml.iframed_idp.enabled true
- tabadmin restart
For more information, see https://onlinehelp.tableau.com/current/server/en-us/tabadmin.htm

For Site-Specific SAML:

Ensure the below two options are properly configured under Settings > Authentication and clicking the "Edit Connection" link under "SAML":

Set the Default authentication type for embedded views to SAML.
Under Embedding options, select Authenticate using an inline frame (less secure; not supported by all IdPs).

For more information, see Configure Site-Specific SAML.

B. Data Source Credentials

Data sources used by views on Tableau Server or Tableau Online often require credentials to authenticate access to the data source (exceptions are flat files like Excel or text files or Tableau Data Extracts which only require credentials on refresh). If a login request is not desired, the recommended solution is to set "Embedded password" for the data source when publishing. Alternatively, there are also Single Sign On alternatives for specific data sources: