Tableau offers three choices for end user authentication

  1. No Authentication – Use an API key to access the public visualizations. No username/pwd or any other authentication mechanism required
  2. TTA – Tableau Trusted Authentication – Internal Users are created and managed in Tableau Server
  3. AD Integration – Use your corporate AD to authenticate – would require your Tableau Server to be ‘domain joined’ to your network.

 

No Authentication

This is the simplest to set up.

All visualizations are UNTRUSTED, TS is accessible by anyone with an API key. There are some  risks associated with this – if someone truly understands the API, they can ‘mangle’  any visualization using hacked javascript.

So, this leads you into TTA territory – you want to use TTA.

The Problem With TTA

So – here’s the dilemma. You want to use the javascript API to access the TS Visualizations.  The client requests a ‘token’ – TS generates and provides a token – this token is used to request all future visualizations.  This works great if everything is exposed to the public (No Authentication).

However, if you also want to use Tableau Trusted Authentication – here’s the gotcha with TTA:

TS requires the IP address of the ticket (token) requester to be trusted. T his means ALL your Client Browser IPs will need to be configured as Trusted IPs in Tableau Server. Obviously, this is a non-starter.

The Workaround

Write an intermediary web service that talks to TS on the backend. If one  decides to go with Trusted Authentication, having it go through an intermediary web service is not just a good option – it is the ONLY option.

Here is a sample flow

  1. The JavaScript code connects to a Web Service and authenticates against that web service. The web service requests a ticket on the user’s behalf.
  2. Tableau is configured to trust the box that the web service is running on, so it returns the ticket, which the web service passes back to the browser
  3. The javascript uses the token (ticket) to render the visualizations.

Summary

Authentication does not seem to be well thought out in Tableau Server. There is no support for LDAP. There is no way to do federated authentication.  You are stuck with Tableau’s internal auth mechanism – TTA. Which would be fine – if TTA did not come with a heavy gotcha.

Any IP that needs to talk to TS using TTA needs to be trusted…..

So, the only option is to create an intermediate TRUSTED web service to act as a broker between the client browser and TS.

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.