Leverage existing security with trusted authentication in tableau server
Leverage existing security with trusted authentication
Every new release of Tableau includes new capabilities for enterprise deployments. These include investments in security, performance, reliability, and scalability. With the introduction of Tableau 9.1, it has become even easier to integrate Tableau Server with the authentication and authorization standards that you already have in place.
Tableau server is frequently deployed in landscapes that already contain legacy systems security protocols to prevent unauthorized access. These systems comprise of internal portals, content management systems, or existing reporting interfaces. Sometimes people feel the need to call trusted authentication,”Is it possible to embed an interactive tableau visualization in to a site that already contains a legacy security protocol?”. The answer is yes. This is commonly referred to as single sign-on tableau server system. For enabling this we term it as ‘trusted authentication’.
While using trusted authentication, it is presumed that the web server containing the embedded views will handle the user authentication. The person attempting to access the embedded view must be a valid user on both the web page as well as on tableau server. The web page server passes the username of the person that has logged into the tableau server. So, the usernames must match or be programmatically transformed to match.
Tableau server must also be configured to recognize the web page server as a trusted server. This is configured using the tableau server administrator tabadmin tool. The web page server must also be able to perform a POST request and transform the response into a URL, it means that static web pages that are not supported by a scripting language will not be able to support these requirements.
If the web page server uses security support provider interface (SSPI), configuring trusted authentication is unnecessary as long as the users are valid members in active directory. In that case, tableau server authenticates the users via active directory as long as the users are also licensed to access tableau server. The flow chart in figure 9.8 illustrates how security data travels between each component.
Figure 9.8 Trusted authentication
If all of the above requirements are met, then trusted authentication works in the following way:
- The user visits the web page – when a user visits the web page with the embedded tableau server view, a GET request is sent to your web server from the HTML for that page.
- Web server POSTS to tableau server – the web server sends a POST request to tableau server. That POST request must have a username parameter. The username value must be the username for a licensed tableau server user. If the server is running multiple sites, and the view is on a site other than the default site, the POST request must include a target site parameter.
- Tableau server creates a ticket – tableau server checks the IP address of the web server that sends the POST request if it is set up as a trusted host, then tableau server creates a ticket in the format of a unique nine-digit string. Tableau server responds to the POST request with the help of that ticket. If there is an error and if the ticket cannot be created, then tableau server responds with a value of (-1).
- The web server passes the URL to the browser – the web server constructs a temporary URL for the view, using either the view’s URL or its object tag (if the view is embedded) and inserts it into the HTML for the page. The ticket will include a temporary address (for example: http://tab server/trusted/<ticket>/views/requestedviewname). The web server passes the HTML for the page back to the client’s web browser.
- The browser requests a view from tableau server – the client’s web browser sends a request to tableau server using a GET request that includes the URL along with the ticket.
- Tableau server redeems the ticket – tableau server sees that the web browser requested a URL with a ticket in it and redeems that ticket. Tickets must be redeemed within three minutes after they are issued. Once the ticket is redeemed, tableau server logs the user in, removes the ticket from the URL, and sends back the final URL for the embedded view.
The tableau server installation manual provides examples of the code required for the web server to handle the POST to tableau server, converting the ticket into a URL and embedding the view in many languages. These examples are included as a part of the tableau server installation. Navigate to the following to view them directly:
c:\program files (x86)\tableau\tableau server\8.0\extracts\embedding
For tips on using trusted ticket authentication with views which you wish to embed in other websites, see the section on “use trusted ticket authentication as an alternative single sign-on method” in “using tableau server to facilitate fact-based team collaboration” post .
Enhance your IT skills and proficiency by taking up the Online Tableau Training.