Given all the updates to Tableau Online over the last few years, now seems like as good of time as any to review over when Tableau Online works for embedding Tableau.
What do I mean by embedding in this case? Specifically, to display Tableau visualizations in another web application, without the customer being aware of Tableau Online as a separate entity from the rest of the web application.
Single Sign-On (SSO)
The biggest factor determining if you can embed Tableau Online seamlessly lies in the Single Sign-On (SSO) process. Looking at the Tableau Online documentation, there are two possible SSO mechanisms: (1) OpenID Connect to Google Accounts (2) using a SAML IdP.
Tableau Online requires all usernames to be e-mail addresses, so you’ll need to make sure your IdP has the e-mail addresses of the users you want to add.
Configuring your SAML IdP to Allow iframe Embedding
This causes the biggest difficulty with SAML and Tableau Online: because by default or per your organization’s security requirements, the SAML authentication flow may not be allowed within an iframe in the IdP settings. This is noted in Step 6 here, but the difficulty is that changing this will be different for each IdP.
For example, here is a question to Okta about the correct setting to allow authentication within an iframe. You’ll need to find the equivalent for your IdP, and get the right person in your organization to approve and make the change at the IdP level.
If you don’t allow iframe embedding at the IdP level, then Tableau Online will open a pop-up box to complete the SAML authentication flow. This may require clicks on your end-user’s side (most likely they will not have to reenter their password again, but they may need to click through something or at minimum close the pop-up). In addition, some browsers block pop-ups which would break the flow entirely or make it seem very suspect.
Syncing Users from the IdP to Tableau Online
Regardless of whether you are using Tableau Online or Tableau Server, a user must exist and be licensed before they can be logged in through SSO. Tableau Online supports SCIM for Okta and OneLogin (check for any additional IdPs as well), which automates provisioning users to Tableau Online.
For other IdPs that do not have SCIM integration, you’ll need to build an integration between the IdP and Tableau using Tableau’s REST API for user management.
Customers with different IdPs on one Tableau Online Site
Any Tableau Online site can only be linked to a single SAML IdP at a given time. If you have customers who need to use their own separate IdPs to come into your application, you’ll need to look into an IdP that provides Federation to other IdPs. As long as there is a single IdP that responds to Tableau Online’s start and return workflow, whatever happens in the middle to connect to other things is in your hands vs. Tableau’s.
Any questions around Two-Factor Authentication work the same way – once Tableau Online sends over to the IdP, you can require anything you want to happen there before the assertion gets sent back to Tableau Online to complete the sign-in process.
Setting “User Visibility” To Limited
A relatively recent feature designed to aid in providing the most features while preserving separation between customers is the User Visibility setting. When set to Limited, Viewers and Explorers will not see any reference to any other users. This is very important if you have many of your own customers all accessing content on the same Tableau Online site.
In terms of controlling content access, Projects can be nested and have different Permissions for different customer Groups. There have been improvements in the latest versions to allow for child projects to have differing permissions from their parent projects, which was difficult to do in earlier versions.
It is of course possible to purchase and maintain different Tableau Online sites for different end customers if you want to allow for full sharing capabilities between end users for that particular client, or want to use a particular customer’s IdP directly instead of setting up federation.
REST API calls are capped at “Site Admin”
The Tableau Server REST API reference has a useful table showing which capabilities are disabled to a customer on Tableau Online (go to “API Listing” on this page). Most of the features that are unavailable stem from the fact that at most you are a Site Admin, and thus cannot do things like adding Sites or Schedules that exist at Server-wide level.
What you won’t see in that list is that because you are a Site Admin rather than Server Admin, you cannot use the Impersonate User at Sign-In feature. Because of this limitation, you cannot access the capabilities to do a dynamic listing of what a given user can see based on their Tableau Permissions as seen in this blog post. You’ll need to find another way to store what a given user can see on your Tableau Server (you should still continue to set Permissions in Tableau to restrict access, even if you can’t query it dynamically).
The following is a list of other things we talk about when a user is considering Tableau Online:
- Because SSO must use SAML, the user will have access to the entirety of the Tableau Server interface if they want to reach it. There is no equivalent of a “Restricted Trusted Ticket” session with a SAML session.
- Tableau Online gets updated whenever it is updated. Updates very very rarely affect the Tableau viz portion of Tableau (at most, new options would appear on the toolbar if it is visible), which you would be embedding, but if customers regularly see the full Tableau Online portal, it can change considerably overnight.
- While Tableau Online has very good uptime, and if you have Premium Support there is an SLA (see the Support offerings here).