Skip to main content

JIT Provisioning on Curator

When Curator is configured to authenticate against an external identity provider (SAML, OIDC/OAuth, Tableau Server, or Power BI), a Frontend User account is created automatically the first time a user successfully signs in. This removes the need for self-service registration: as long as the user can authenticate with the upstream provider, Curator provisions the matching local account on demand. If you’d rather restrict access to users that have been created manually in advance, this behavior can be disabled. Navigate to Settings > Security > Authentication Settings, expand the Customization section, enable Disable Just-in-time Provisioning of Curator Users, and click the “Save” button. With this setting enabled, SSO logins will only succeed for users who already exist in Frontend Users.

JIT Provisioning on Tableau

Curator can also serve as an intermediary to that process and automatically create the users on Tableau Server after a successful authentication with Okta or other SAML identity providers. You will still be required to manually assign any groups, or license levels (Explorer by default), in Tableau Server. But this allows simple authentication into Curator if the user does not yet exist on Tableau. (/setup/authentication/okta_saml) To enable this, complete the steps for SAML setup (instructions here) Then on the backend under Settings > Security > Authentication Settings, open up the SAML Advanced section and enable Just-in-time (JIT) Provisioning then Save your SAML settings.