KNOWLEDGE BASE

Embedding Tableau Server Dashboards into a Website without Prompting for Credentials


Published: 04 Jun 2018
Last Modified Date: 26 Aug 2019

Question

When embedding a Tableau Server view into a web page, how do I ensure that no prompt for username or password credentials is shown?

Environment

  • Tableau Server
  • Embedded views

Answer

To ensure no prompt for username or password credentials occurs inside an embedded view, both user credentials and database credentials need to be addressed.

Tableau Server User Credentials

Tableau Server must be able to authenticate the viewer of an embedded Tableau Server view as a valid Tableau Server user before allowing the user to open the embedded view. This can result in a login screen being presented. There are several options to prevent this:

Option 1: Use Guest user access

If Tableau Server uses a core-based license, a Guest User can be enabled which would allow any viewer to access an embedded view with the permissions authorized to the Guest User account without requiring login credentials.

Note that Guest User will be used first on embedded views where the Guest User has permissions to open the view. For example, if Automatic Login for Active Directory is enabled, a user opening an embedded view will be authenticated as the Guest User, and not with Integrated Windows Authentication. To use Integrated Windows Authentication, permissions need to be set to deny viewing for the Guest User on that view. For further details, see Guest User.

Option 2: Use Trusted Authentication

Tableau Server provides a mechanism to request and redeem authentication tickets for a user and a view in situations where a web server is handling user authentication. This requires third-party cookies to be enabled on the user's browser.

Note that Safari disables these by default. See Trusted Authentication for details on how to configure this feature.

Option 3: Single Sign-On

If a Single Sign-On feature has been implemented, then a user can be authenticated by Tableau Server without requiring a Tableau Server login screen. IdP logins may be presented. See Authentication for details.

A note for SAML and OpenID Connect

The default behavior when embedding a view using SAML or OpenID Connect authentication is to display a "Sign in to <Server Name>" button in the frame. Clicking this button will open a new window where authentication with the IdP will then happen.
To avoid the button, use a different solution like Guest User or Trusted Authentication, or, if the IdP supports in-frame authentication, you can do the following to suppress the button:

Note: Enabling this ability requires disabling Clickjack protection, introducing an increased exposure to clickjacking attacks. 

For Tableau Server on Linux and Tableau Server on Windows 2018.2 and Newer Versions
For OpenID Connect:

  1. Open a command prompt as an Administrator on the computer where Tableau Server is installed
  2. Execute the following commands:
tsm configuration set –k wgserver.openid.iframed_idp.enabled -v true
tsm pending-changes apply
tsm restart

For Server-Wide SAML
  1. Open a command prompt as an Administrator on the computer where Tableau Server is installed
  2. Execute the following commands:

tsm configuration set –k wgserver.saml.iframed_idp.enabled -v true
tsm pending-changes apply
tsm restart

For Tableau Server on Windows 2018.1 and Older Versions

For OpenID Connect:
  1. Open a command prompt as an Administrator on the computer where Tableau Server is installed.
  2. Navigate to the Tableau Server bin directory.
  3. Execute the following commands:
    • tabadmin set wgserver.openid.iframed_idp.enabled true
    • tabadmin restart

For Server-Wide SAML:

  1. Open a command prompt as an Administrator on the computer where Tableau Server is installed.
  2. Navigate to the Tableau Server bin directory.
  3. Execute the following commands:
    • tabadmin set wgserver.saml.iframed_idp.enabled true
    • tabadmin restart

For all versions of Tableau Server
For Site-Specific SAML:

Ensure the below two options are properly configured under Settings > Authentication and clicking the "Edit Connection" link under "SAML"
  • Set the Default authentication type for embedded views to SAML
  • Under Embedding options, select Authenticate using an inline frame (less secure; not supported by all IdPs). 
For more information, see Configure Site-Specific SAML

Data Source Credentials

Data sources used by views on Tableau Server or Tableau Online often require credentials to authenticate access to the data source (exceptions are flat files like Excel or text files or Tableau Data Extracts which only require credentials on refresh). If a login request is not desired, the recommended solution is to set "Embedded password" for the data source when publishing. Alternatively, there are also Single Sign On alternatives for specific data sources:
Did this article resolve the issue?