Using Trusted Tickets for SSO Login to the Tableau Server UI (VizPortal)

There are many situations where a customer wants to have an SSO integration with Tableau Server, but wants the end user to have full access to the Tableau Server UI (called VizPortal), as opposed to embedding Tableau views directly into the product (which only invokes VizSQLServer). This is not an issue when using SAML authentication, but Trusted Authentication requires that the trusted ticket be redeemed against a valid workbook.

By using the fact that the redemption of a Trusted Ticket creates a Tableau Server Session in the browser, the following technique will allow a smooth SSO process directly into the Tableau Server UI.

The first step to any of this is enabling Unrestricted Trusted Tickets. An unrestricted trusted ticket is a full Tableau session that can see the UI; regular trusted tickets only allow access to workbooks and views.

Update: If you are okay with the default page loading directly into the UI, you can do a direct call to the trusted ticket location by itself  — where the URL is just http://{server}/trusted/{ticket}/t/{site}/ . You cannot use this technique on any of the other pages; if you want to direct to a particular page like Data Sources, you’ll need to follow the remaining instructions.

Next, you’ll need to publish a workbook that can be used for login. I suggest naming it “Redirect” or “Login” and putting it in its own Project. Give it View permissions for All, and no other permissions. We will load this workbook to log in every user. To that end, it should be as simple as possible. You can publish a “blank” workbook by simply adding a Filter set to “All” on one sheet. That’s all you need! We’re going to cover the loading workbook anyway, but the simpler the sheet, the faster it will load.

Now we need a dynamic HTML page which handles our trusted ticket process. Here’s an example in PHP; obviously you’ll implement your trusted ticket process in the dynamic language of your own web application:


<?php
include("rest/rest_api.php"); // REST library has a function for requesting trusted tickets. You don't really need any REST API calls
$site = ''; // Probably securely POST this or store in cookie. This is the Tableau site_content_url
// Sign_In to the Tableau Server
$host = 'http://{tableau_server}'; // Tableau Server name
$user = ''; // You will probably be securely POSTing the username, or storing it in another cookie that can be read

$ticket = trim ( get_trusted_ticket($host,$user,$site));
?>

<html>
<head>
<title>Logging in to Analytics</title>

<script type='text/javascript' src="http:/{tableau_server}/javascripts/api/tableau-2.0.0.min.js"></script>

    <script>
    var host = '<?php echo $host; ?>';
    var site = '<?php echo $site; ?>';
    var ticket = '<?php echo $ticket ?>';
    var viz_url = host + "/trusted/" + ticket + "/t/" + site + "/views/RedirectPage/Sheet1";
    function initViz(){
        var placeholderDiv = document.getElementById("tableauViz");
        var options = { 
        hideTabs: true,
        hideToolbar: true,
        onFirstInteractive: function () {
                window.location =  host + '/#/site/' + site + '/projects';
            }
        }
        viz = new tableau.Viz(placeholderDiv,viz_url,options); 
    }
</script>

</head>
<body onload="initViz();">
<div id='cover' style='height:100%;width:100%; position: fixed; left:0px;top:0px;background-color: white;z-index: 10'></div>
<div id='tableauViz'></div>
</body>
</html>

You’ll note that there is a ‘cover’ DIV that keeps any of the loading Viz from being seen. You could also implement your own “Logging in” screen here. As soon as the Viz finishes loading, the onFirstInteractive callback kicks in and redirects the page to whatever screen in the Tableau Server you’d like to show.

Advertisements

4 comments

  1. Hi bryantbhowell, I implemented edit feature in tableau server 9.3, and it works fine. But in Tableau Server 10,
    when i enter the edit ui, I need to log in again. I checked the reason, and found that the workgroup_session_id was set to empty when trying to access vizportal/api/web/v1/getDatasources.

    Please help, thanks.

    Like

      1. Hi Ning,
        I believe there was an issue with the authentication across several point versions recently (it affected a few 9.3 releases as well). Tableau 10.0.1 was just released and I upgraded my test server and it all appears to be working now. I use the exact same embed_wrapper.html code I have posted up here so try one of the latest releases and see if it is working.

        Like

  2. Hi bryantbhowell,
    It works well after I run the following command. In Tableau Server 9.3 it’s not necessary, but in version 10, it it necessary. Thank you very much.

    tabadmin set wgserver.unrestricted_ticket true
    tabadmin config
    tabadmin restart

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s