Embedding Tableau Server Dashboards Into a Website Without Prompting for Credentials

To ensure no prompt for username or password credentials occurs inside an embedded view, both user credentials and database credentials need to be addressed.

Tableau Server User Credentials

Tableau Server must be able to authenticate the viewer of an embedded Tableau Server view as a valid Tableau Server user before allowing the user to open the embedded view. This can result in a login screen being presented. There are several options to prevent this:

Option 1: Use Guest user access

If Tableau Server uses a core-based license, a Guest User can be enabled which would allow any viewer to access an embedded view with the permissions authorized to the Guest User account without requiring login credentials.

Note that Guest User will be used first on embedded views where the Guest User has permissions to open the view. For example, if Automatic Login for Active Directory is enabled, a user opening an embedded view will be authenticated as the Guest User, and not with Integrated Windows Authentication. To use Integrated Windows Authentication, permissions need to be set to deny viewing for the Guest User on that view. For further details, see Guest User.

Option 2: Use Connected Apps

Tableau Server provides a REST API mechanism to facilitate an explicit trust relationship between Tableau Server and custom applications that embed Tableau Server views. It does so using a JSON Web Token (JWT) This requires third-party cookies to be enabled on the user's browser unless configured for partitioned storage in Firefox or Chrome.

Note that Safari disables these by default. See Connected Apps Methods for details on how to configure this feature.

Option 3: Use Trusted Authentication

Tableau Server provides a mechanism to request and redeem authentication tickets for a user and a view in situations where a web server is handling user authentication. This requires third-party cookies to be enabled on the user's browser.

Note that Safari disables these by default. See Trusted Authentication for details on how to configure this feature.

Option 4: Use an Identity Provider's External Authorization Server

Tableau Server provides a way to register a third-party Identity Provider's External Authorization Server to send a JSON Web Token (JWT) to validate a trust relationship between the IdP and Tableau Server. This requires third-party cookies to be enabled on the user's browser unless configured for partitioned storage in Firefox or Chrome.

Note that Safari disables these by default. See Register EAS to Enable SSO for Embedded Content for details on how to configure this feature.

Option 5: Single Sign-On

If a Single Sign-On feature has been implemented, then a user can be authenticated by Tableau Server without requiring a Tableau Server login screen. IdP logins may be presented. See Authentication for details.

A note for SAML and OpenID Connect

The default behavior when embedding a view using SAML or OpenID Connect authentication is to display a "Sign in to <Server Name>" button in the frame. Clicking this button will open a new window where authentication with the IdP will then happen.

To avoid the button:

If using Tableau Server 2021.4

Use a different solution like Guest User or Trusted Authentication, or, if the IdP supports in-frame authentication, you can do the following to suppress the button:

Note: Enabling this ability requires disabling Clickjack protection, introducing an increased exposure to clickjacking attacks. 

For Tableau Server on Linux and Tableau Server on Windows 2018.2 and Newer Versions

For OpenID Connect

1. Open a command prompt as an Administrator on the computer where Tableau Server is installed
2. Execute the following commands:

For Server-Wide SAML

1. Open a command prompt as an Administrator on the computer where Tableau Server is installed
2. Execute the following commands:

tsm configuration set –k wgserver.saml.iframed_idp.enabled -v true
tsm pending-changes apply
tsm restart

For all versions of Tableau Server

For Site-Specific SAML

Ensure the below two options are properly configured under Settings > Authentication and clicking the "Edit Connection" link under "SAML": 

• Set the Default authentication type for embedded views to SAML. 
• Under Embedding options, select Authenticate using an inline frame (less secure; not supported by all IdPs). 

For more information, see Configure Site-Specific SAML. 

Data Source Credentials

Data sources used by views on Tableau Server or Tableau Cloud often require credentials to authenticate access to the data source (exceptions are flat files like Excel or text files or Tableau Data Extracts which only require credentials on refresh). If a login request is not desired, the recommended solution is to set "Embedded password" for the data source when publishing. Alternatively, there are also Single Sign On alternatives for specific data sources. See the product help on Data Connection Authentication for updated options.