How to Configure Multiple IdPs and Authentication Methods in Tableau Server

Depending on your requirements and Tableau Server version, use one of the following approaches.

Option 1: Use Site-Specific SAML

In a multi-site environment, you can configure a different SAML IdP for each site (e.g., Entra ID for Site A and Okta for Site B). You can also specify the authentication type for each user within the same site, allowing the combined use of SSO (Site SAML) and local authentication (Server Default), or SAML authentication from different IdPs.

1. Configure site-specific SAML.
2. If you want to use local authentication and SAML authentication simultaneously within the same site, you need to use local authentication as the Server Default. To do so, complete the site-specific SAML setup first. Then, if server-wide SAML has been enabled, disable it using one of the methods below. After confirming that server-wide SAML has been disabled, specify the authentication type for users.

1. 1. Use TSM CLI
      1. Open a command prompt on a node in the cluster and run the following commands:

         tsm authentication saml disable
         tsm pending-changes apply

   2. Use TSM Web UI
      1. Sign in to the TSM Web UI.
      2. On the CONFIGURATION tab, select User Identity & Access, and then select the Authentication Method tab.
      3. Clear the Enable SAML authentication for the server check box.
      4. Click Save Pending Changes.
      5. Click Pending Changes at the top of the page.
      6. Click Apply Changes and Restart.

Limitations and Considerations (Site-Specific SAML)

• Local Identity Store Required: The identity store specified during Tableau Server installation must be set to Local. Site-specific SAML cannot be configured in environments using Active Directory or LDAP.
• Single Site Membership Limitation: Users configured to use site-specific SAML authentication can belong to only one site. Users who need to belong to multiple sites must use the Server Default authentication. See also Set the User Authentication Type for SAML.

Option 2: Use Identity Pools

Starting with Tableau Server 2023.1, you can create additional identity pools with different authentication protocols in addition to the initial pool configured during installation. This allows you to build a mixed environment, such as Active Directory with OIDC or Local Authentication with OIDC.

1. Configure an identity pool. Specify the authentication method users will use in the configured identity pool.

Limitations and Considerations (Identity Pools)

• Version Requirement: Supported only in Tableau Server 2023.1 and later.
• OIDC Only for Additional Authentication: The only authentication method that can be added using the identity pool feature is OIDC. SAML authentication cannot be configured as an additional pool.
• REST API Required for Management: Management tasks such as creating or updating the detailed configuration of an identity pool must be performed using the Tableau REST API, not the Tableau Server Web UI.
• Server-Level Configuration Only: Identity pools are currently available for server-level configuration only. Identity pools can’t be scoped to a site.