Embedding Tableau Cloud Dashboards into a Website without Prompting for Credentials

There are two contexts, described as A and B below, where credentials can be requested when opening a view in Tableau Cloud. Both need to be addressed to ensure no prompt for username or password credentials occurs inside an embedded view.

A. Tableau Cloud User Credentials

Tableau Cloud must be able to authenticate the viewer of an embedded view as a valid Tableau Cloud user before allowing the embedded view to load. This can result in a login screen being presented. You must use Connected Apps in order to authenticate the user without requiring an explicit login prompt. For more information, see Use Tableau Connected Apps for Application Integration.

Option 1

As a possible alternative, SAML SSO or Salesforce OpenID Connect may be used to bypass the login prompt as long as the user is already authenticated with the identity provider in the same browser as the embedded view. 

An important note if using SAML:

In Tableau Cloud, the default authentication type for embedded views must be set to SAML and have inline frame auth enabled. The SAML identity provider must also support and have in-frame authentication enabled. See the below steps to enable both settings in Tableau Cloud. 

1. Ensure the below two options are properly configured under Settings > Authentication and clicking the "Edit Connection" link under "SAML":
2. Set the Default authentication type for embedded views to SAML.
3. Under Embedding options, select Authenticate using an inline frame (less secure; not supported by all IdPs).

For more information, see the section on "Embedding options" in "Enable SAML Single Sign-On for a Site".

B. Data Source Credentials

Data sources used by views on Tableau Cloud often require credentials to authenticate access to the data source (exceptions are flat files like Excel or text files or Tableau Data Extracts which only require credentials on refresh). If a login request is not desired, the recommended solution is to set "Embedded password" for the data source when publishing.

Option 2

How Connected Apps Use JWT for Authentication

The Connected Apps feature is the recommended method for authenticating users because it uses a secure JSON Web Token (JWT) to sign the user in without a prompt. The process works as follows:

1. A Tableau Cloud administrator creates a Connected App and generates a Client ID and a Client Secret.

2. Your web application (where the dashboard is embedded) must generate a JWT that includes claims for the user, such as their username.

3. This JWT is then signed using the Client Secret obtained from the Connected App.

4. The signed JWT is passed into the Tableau embedding code on your web page.

5. Tableau Cloud receives the JWT, validates its signature using the secret, and automatically signs in the specified user, allowing the embedded view to load without a credential prompt.

Steps to Configure a Connected App in Tableau Cloud

These steps are performed by a Tableau Cloud Site Administrator.

1. Navigate to the Connected Apps Menu:

   • In your Tableau Cloud site, go to Settings in the left-hand navigation pane.

   • Select the Connected Apps tab.

2. Create a New Connected App:

   • Click the blue "New Connected App" button.

   • In the dialog that appears, you will configure the app:

     • App Name: Give it a descriptive name (e.g., "Internal Portal Embed").

     • App Type: Select "Direct Trust". This is the type required for JWT-based embedding.

     • Allowed Domains: This is a critical security step. Enter the full domain of the web application where you will be embedding the dashboards (e.g., https://my-portal.mycompany.com). You can add multiple domains if needed. This ensures that only your authorized website can use this Connected App.

3. Generate the Client ID and Secret:

   • After you click "Create", Tableau will generate a Client ID, a Client Secret ID, and a Client Secret Value.

   • This is the only time the Client Secret Value will be shown. You must copy and securely store this secret immediately. It is the "password" your web application will use to sign the JWTs.