Last Modified Date: 26 Aug 2019
Environment
- Tableau Server
- Embedded views
Answer
To ensure no prompt for username or password credentials occurs inside an embedded view, both user credentials and database credentials need to be addressed.Tableau Server User Credentials
Tableau Server must be able to authenticate the viewer of an embedded Tableau Server view as a valid Tableau Server user before allowing the user to open the embedded view. This can result in a login screen being presented. There are several options to prevent this:Option 1: Use Guest user access
If Tableau Server uses a core-based license, a Guest User can be enabled which would allow any viewer to access an embedded view with the permissions authorized to the Guest User account without requiring login credentials.Note that Guest User will be used first on embedded views where the Guest User has permissions to open the view. For example, if Automatic Login for Active Directory is enabled, a user opening an embedded view will be authenticated as the Guest User, and not with Integrated Windows Authentication. To use Integrated Windows Authentication, permissions need to be set to deny viewing for the Guest User on that view. For further details, see Guest User.
Option 2: Use Trusted Authentication
Tableau Server provides a mechanism to request and redeem authentication tickets for a user and a view in situations where a web server is handling user authentication. This requires third-party cookies to be enabled on the user's browser.Note that Safari disables these by default. See Trusted Authentication for details on how to configure this feature.
Option 3: Single Sign-On
If a Single Sign-On feature has been implemented, then a user can be authenticated by Tableau Server without requiring a Tableau Server login screen. IdP logins may be presented. See Authentication for details.A note for SAML and OpenID Connect
The default behavior when embedding a view using SAML or OpenID Connect authentication is to display a "Sign in to <Server Name>" button in the frame. Clicking this button will open a new window where authentication with the IdP will then happen.To avoid the button, use a different solution like Guest User or Trusted Authentication, or, if the IdP supports in-frame authentication, you can do the following to suppress the button:
Note: Enabling this ability requires disabling Clickjack protection, introducing an increased exposure to clickjacking attacks.
For Tableau Server on Linux and Tableau Server on Windows 2018.2 and Newer Versions
For OpenID Connect:
- Open a command prompt as an Administrator on the computer where Tableau Server is installed
- Execute the following commands:
tsm configuration set –k wgserver.openid.iframed_idp.enabled -v true
tsm pending-changes apply
tsm restart
For Server-Wide SAML
- Open a command prompt as an Administrator on the computer where Tableau Server is installed
- Execute the following commands:
tsm configuration set –k wgserver.saml.iframed_idp.enabled -v true
tsm pending-changes apply
tsm restart
For OpenID Connect:
- Open a command prompt as an Administrator on the computer where Tableau Server is installed.
- Navigate to the Tableau Server bin directory.
- Execute the following commands:
tabadmin set wgserver.openid.iframed_idp.enabled true
tabadmin restart
For Server-Wide SAML:
- Open a command prompt as an Administrator on the computer where Tableau Server is installed.
- Navigate to the Tableau Server bin directory.
- Execute the following commands:
tabadmin set wgserver.saml.iframed_idp.enabled true
tabadmin restart
For all versions of Tableau Server
For Site-Specific SAML:
Ensure the below two options are properly configured under Settings > Authentication and clicking the "Edit Connection" link under "SAML":
- Set the Default authentication type for embedded views to SAML.
- Under Embedding options, select Authenticate using an inline frame (less secure; not supported by all IdPs).
Data Source Credentials
Data sources used by views on Tableau Server or Tableau Online often require credentials to authenticate access to the data source (exceptions are flat files like Excel or text files or Tableau Data Extracts which only require credentials on refresh). If a login request is not desired, the recommended solution is to set "Embedded password" for the data source when publishing. Alternatively, there are also Single Sign On alternatives for specific data sources:Additional Information
Discuss this article... Feedback Forum
Thank you for providing your feedback on the effectiveness of the article.
Open new Case
Continue Searching
Knowledge Base
Community
Product Help
Training and Tutorials