Last Modified Date: 04 May 2023
Environment
- Tableau Server
- Embedded views
Answer
To ensure no prompt for username or password credentials occurs inside an embedded view, both user credentials and database credentials need to be addressed.Tableau Server User Credentials
Tableau Server must be able to authenticate the viewer of an embedded Tableau Server view as a valid Tableau Server user before allowing the user to open the embedded view. This can result in a login screen being presented. There are several options to prevent this:Option 1: Use Guest user access
If Tableau Server uses a core-based license, a Guest User can be enabled which would allow any viewer to access an embedded view with the permissions authorized to the Guest User account without requiring login credentials.Note that Guest User will be used first on embedded views where the Guest User has permissions to open the view. For example, if Automatic Login for Active Directory is enabled, a user opening an embedded view will be authenticated as the Guest User, and not with Integrated Windows Authentication. To use Integrated Windows Authentication, permissions need to be set to deny viewing for the Guest User on that view. For further details, see Guest User.
Option 2: Use Connected Apps (versions 2021.4 and later only)
Tableau Server 2021.4 or later provides a REST API mechanism to facilitate an explicit trust relationship between Tableau Server and custom applications that embed Tableau Server views. It does so using a JSON Web Token (JWT) This requires third-party cookies to be enabled on the user's browser unless configured for partitioned storage in Firefox or Chrome.
Note that Safari disables these by default. See Connected Apps Methods for details on how to configure this feature.
Option 3: Use Trusted Authentication
Tableau Server provides a mechanism to request and redeem authentication tickets for a user and a view in situations where a web server is handling user authentication. This requires third-party cookies to be enabled on the user's browser.Note that Safari disables these by default. See Trusted Authentication for details on how to configure this feature.
Option 4: Use an Identity Provider's External Authorization Server (versions 2021.4 and later only)
Tableau Server 2021.4 or later provides a way to register a third-party Identity Provider's External Authorization Server to send a JSON Web Token (JWT) to validate a trust relationship between the IdP and Tableau Server. This requires third-party cookies to be enabled on the user's browser unless configured for partitioned storage in Firefox or Chrome.
Note that Safari disables these by default. See Register EAS to Enable SSO for Embedded Content for details on how to configure this feature.
Option 5: Single Sign-On
If a Single Sign-On feature has been implemented, then a user can be authenticated by Tableau Server without requiring a Tableau Server login screen. IdP logins may be presented. See Authentication for details.
A note for SAML and OpenID Connect
The default behavior when embedding a view using SAML or OpenID Connect authentication is to display a "Sign in to <Server Name>" button in the frame. Clicking this button will open a new window where authentication with the IdP will then happen.To avoid the button:
If using Tableau Server 2021.4
Use a different solution like Guest User or Trusted Authentication, or, if the IdP supports in-frame authentication, you can do the following to suppress the button:
Note: Enabling this ability requires disabling Clickjack protection, introducing an increased exposure to clickjacking attacks.
For Tableau Server on Linux and Tableau Server on Windows 2018.2 and Newer Versions
For OpenID Connect:
- Open a command prompt as an Administrator on the computer where Tableau Server is installed
- Execute the following commands:
tsm configuration set –k wgserver.openid.iframed_idp.enabled -v true
tsm pending-changes apply
tsm restart
For Server-Wide SAML
- Open a command prompt as an Administrator on the computer where Tableau Server is installed
- Execute the following commands:
tsm configuration set –k wgserver.saml.iframed_idp.enabled -v true
tsm pending-changes apply
tsm restart
For all versions of Tableau Server
For Site-Specific SAML:
Ensure the below two options are properly configured under Settings > Authentication and clicking the "Edit Connection" link under "SAML":
- Set the Default authentication type for embedded views to SAML.
- Under Embedding options, select Authenticate using an inline frame (less secure; not supported by all IdPs).