There’s nothing wrong with the How Trusted Authentication Works diagram, but it doesn’t fully capture the essential aspect that there are two distinct flows: (1) Requesting the web page with the Trusted Ticket placed in the Viz URL (2) The iframe request to the Tableau Server that uses the Viz URL.
- User requests a page that has an embedded Tableau Viz. For trusted tickets, this must be a dynamically generated web page. The GET request goes from the user’s web browser to the web server
- The web server passes the request to the web application server, typically in a different security tier. This is what processes the request for the page and generates the final HTML from the template / application rules.
- The web application server(s) are the machines that the Tableau Server has been configured to trust .The web application pass the username to the Tableau Server, requesting a ticket.
- The Tableau Server checks for that existing username on the specified site, and returns a ticket if found. The ticket looks something like “Etdpsm_Ew6rJY-9kRrALjauU”.
- The web application server places the ticket into the URL for the Tableau viz, based on the pattern: https://tabserver/trusted/<ticket>/t/<site-url>/views/<workbook>/<view>. This URL is placed in the returned web page, to be loaded via the JavaScript API
- The generated HTML is sent from the web server to the client’s browser. The Tableau JavaScript API now creates the iframe, which is a separate web page inside the main page.
- To generate the iframe, the browser makes a call to the Tableau Server directly. However, it should be behind a Reverse Proxy for security purposes
- The reverse proxy passes the request through to the Tableau Server. The Tableau Server redeems the trusted ticket, creating a Tableau Session for the user. This also puts a session cookie in the user’s browser. At this point the ticket is redeemed and cannot be used again.
- You should set the process to ask for a new trusted ticket on each page reload.
- Once the session is established, you don’t technically need to use another trusted ticket; this allows for SSO even when you are not embedding.
- The Tableau Server actually redirects now to the direct location of the requested viz. To generate the viz, Tableau Server vizqlserver will make whatever data requests are necessary
- The data comes back to vizqlserver process. It generates the viz
- The viz information is sent back through the reverse proxy
- The viz information is sent to the user’s browser, which renders the viz in the iframe.
2 comments