There’s nothing wrong with the How Trusted Authentication Works diagram, but it doesn’t fully capture the essential aspect that there are two distinct flows: (1) Requesting the web page with the Trusted Ticket placed in the Viz URL (2) The iframe request to the Tableau Server that uses the Viz URL.

1. User requests a page that has an embedded Tableau Viz. For trusted tickets, this must be a dynamically generated web page. The GET request goes from the user’s web browser to the web server
2. The web server passes the request to the web application server, typically in a different security tier. This is what processes the request for the page and generates the final HTML from the template / application rules.
3. The web application server(s) are the machines that the Tableau Server has been configured to trust .The web application pass the username to the Tableau Server, requesting a ticket.
4. The Tableau Server checks for that existing username on the specified site, and returns a ticket if found. The ticket looks something like “Etdpsm_Ew6rJY-9kRrALjauU”.
5. The web application server places the ticket into the URL for the Tableau viz, based on the pattern: https://tabserver/trusted/<ticket>/t/<site-url>/views/<workbook>/<view&gt;. This URL is placed in the returned web page, to be loaded via the JavaScript API
6. The generated HTML is sent from the web server to the client’s browser. The Tableau JavaScript API now creates the iframe, which is a separate web page inside the main page.
7. To generate the iframe, the browser makes a call to the Tableau Server directly. However, it should be behind a Reverse Proxy for security purposes
8. The reverse proxy passes the request through to the Tableau Server. The Tableau Server redeems the trusted ticket, creating a Tableau Session for the user. This also puts a session cookie in the user’s browser. At this point the ticket is redeemed and cannot be used again.
   1. You should set the process to ask for a new trusted ticket on each page reload.
   2. Once the session is established, you don’t technically need to use another trusted ticket; this allows for SSO even when you are not embedding.
9. The Tableau Server actually redirects now to the direct location of the requested viz. To generate the viz, Tableau Server vizqlserver will make whatever data requests are necessary
10. The data comes back to vizqlserver process. It generates the viz
11. The viz information is sent back through the reverse proxy
12. The viz information is sent to the user’s browser, which renders the viz in the iframe.