Authentication and secure communication for Tableau Mobile
Before you deploy Tableau Mobile, make sure that your confidential data is secure.
Single sign-on for Tableau Mobile apps
The Tableau Mobile app supports local authentication by Tableau Server, or external authentication via Active Directory, SAML, or Kerberos. To integrate with single sign-on (SSO) systems, you need to use SAML or Kerberos.
If your Tableau server is configured to use SAML, users are automatically redirected to the identity provider (IdP) for sign-in within Tableau Mobile. That's all there is to it—SAML doesn't require any special configuration for mobile devices. Unlike Kerberos authentication, however, SAML doesn't relay credentials to other mobile apps using SSO.
For information about server setup, see these topics:
To use Kerberos authentication, devices must be specially configured for your organization. Kerberos configuration is beyond the scope of this document and Tableau Support, but here are some third-party resources to help get you started.
Kerberos Single Sign-on for iOS on the Sam's Tech Notes blog
Mobile Single Sign On from iOS to SAP NetWeaver on the SAP Community Network
The Configuration Profile Key Reference in the iOS Developer Library
When you set up a configuration profile, you'll need the URLs used to access your Tableau server. For the URLPrefixMatches key, if you decide to list the URL strings explicitly, include URLs with all protocol options and the appropriate port numbers.
If your servers use SSL, your URLs should use the https protocol and the server’s fully qualified domain name. One of the URLs also should specify port 443.
For example, enter
If your users access your Tableau server by specifying only the local server name, you should also include those variations.
For example, enter
Note: Signing out does not clear Kerberos tickets on a device. If stored Kerberos tickets are still valid, anyone using a device can access the server and site a user last signed in to, without providing credentials.
Encrypt communication with SSL
As a first step, configure Tableau Server to use Secure Sockets Layer and an SSL certificate that your mobile devices trust. For details, see Configure External SSL in the Tableau Server help.
Certificates issued by major third-party authorities like VeriSign and GlobalSign are secure and trusted by mobile devices. But you can also use a certificate issued by your organization’s internal, enterprise certificate authority. To establish trust between either type of certificate and your company's mobile devices, see these options in the Tableau Knowledge Base.
Connect mobile users to Tableau Server behind your firewall
The recommended method for securing access to your network depends on your use of mobile application management (MAM) or mobile device management (MDM).
If you use MAM, set up a secure tunnel.
If you use MDM, set up per-app VPN.
If you don't have an MAM or MDM system, use standard VPN or a reverse proxy server.
Connect using a secure tunnel
With the unique iOS apps, Tableau Mobile for Blackberry and Tableau Mobile for Workspace ONE, users can connect to Tableau Server simply by logging into the mobile app. To configure the necessary secure tunnel, see these resources from your MAM vendor:
Enable Secure Connect Plus in Blackberry Dynamics help.
VMware Tunnel Quick Start in Workspace ONE help.
With mobile devices, you can use a VPN either as a stand-alone solution or integrated into an MDM tool like Workspace ONE, MobileIron, XenMobile, or Intune. These MDM tools let you create multiple VPN profiles with unique traffic rules you can apply to different device types and even individual apps. Per-app VPN provides maximum security.
The following resources from MDM vendors help you configure their global and per-app VPN options:
For more information, see Customize Tableau Mobile app with AppConfig.
Connect using a reverse proxy server
A reverse proxy server manages all traffic coming from the internet to Tableau Server. In conjunction with SSL, a reverse proxy authenticates traffic while concealing the IP address of the server from clients. For step-by-step setup, see Tableau Server Help for Windows or Linux, and pay special attention to the details required for mobile app.