Was this page helpful?
Yes No

Use SAML SSO with Kerberos Database Delegation

Tableau Server on Windows now includes Tableau Services Manager (TSM), which replaces the Configuration Utility and the tabadmin command line tool. If you need help for an earlier version of Tableau Server, see the Tableau Help page.

In a Windows Active Directory (AD) environment, you can enable SAML single sign-on (SSO) to Tableau Server, along with Kerberos database delegation. This provides authorized users direct access to Tableau Server, as well as to the underlying data defined in their published workbooks and data sources.

Overview of the process

Conceptual image of authentication to Tableau Server via SAML and access to underlying data via Kerberos

In a typical scenario:

  1. One of your Tableau analysts publishes a dashboard to Tableau Server. That dashboard contains a connection to a Hadoop cluster, for example, that is configured to accept Kerberos credentials.

    Then the workbook publisher sends a link to colleagues for review.

  2. When a colleague clicks the link, Tableau Server authenticates the user through the SAML SSO process. Then it looks at the user’s authorization scheme, and if allowed, uses the Tableau Server keytab to accesses the underlying database on behalf of the user. This populates the dashboard with the Hadoop data that the user is authorized to see.

Configure Tableau Server for SAML with Kerberos

Using SAML with Kerberos works inherently when you complete the processes to enable each separately:

  1. Configure Tableau Server for SAML, as described in Configure Server-Wide SAML.

  2. Configure Tableau Server and your underlying databases to accept Kerberos credentials, as described in Enable Kerberos Delegation and related articles.