Tableau Server

Session-level Single-Sign On

Tableau Server doesn’t currently (as of 2018.2) have a dedicated “service” for authentication when doing Single Sign-On. Instead, a Tableau Server session is established the first time you load a Viz using a given SSO method. Whether using Trusted Authentication, Windows Authentication, or SAML, when the first viz loads, that is when the authentication actually happens, and after that point, there is a Tableau Server session cookie, so that the authentication doesn’t have to happen continuously.

Traditionally, particularly for Trusted Authentication, instructions have been given to request and send a new ticket for each load of any Viz. But this introduces extra, unnecessary authentication requests, and can even lead to a “race condition” when you are loading multiple Vizes in the same page, where sessions are being created and overriding each other as separate tickets are processing at the same time. This same issue can affect ANY of the SSO methods when loading multiple vizes.

The Hidden / Empty Viz Solution

As mentioned above, once the first Viz has been authenticated, there is a Tableau Server Sesssion cookie that will be used for all subsequent requests. So to create a “login” service, we simply need to login as quickly as possible to a Viz. This is very similar to what you need to do for Trusted Authentication SSO into the full Tableau Server UI.

The simplest Viz possible is all we need (literally, a single filter on a page using a totally blank Data Source can be used). Every user is the Tableau Server should have access to this Viz. As soon as the user is authenticated into the main application, you should load the simple viz — if using Trusted Authentication, this request should include the trusted ticket. You can hide the Viz div under something or out of sight (the div shouldn’t actually have visibility:hidden though because some browsers don’t like that prior to the Viz being initialized), so that the user doesn’t see this load process. Or do it quickly in a page that then redirects to the next page. It’s up to you.

Session Timeout with Trusted Tickets

The one advantage of continually sending Trusted Tickets is that the Tableau Server session is continually extending as each ticket is sent. If you only do one Trusted Ticket to establish a session, how do you keep from timing out and sending the user to the Tableau Server sign-in box? The answer is to set your own timer cookie, and whenever it times out, reestablish the session using the Empty Viz. You shouldn’t need to do this with SAML or AD, because they will automatically call out and reestablish their sessions, but you could.


Tableau Server sessions will end naturally based on the value you have set for them using tabadmin / TSM. Actually forcing a Tableau Session to sign-out is a little tricky — recent versions of Tableau Server understand a SAML IdP Signout, or you could try to use the REST API to signout, but in the latest version of Tableau Server, the REST API technique requires reverting to a simpler, less secure type of session cookie.


Revisiting The Tenets of Multi-Tenancy

Since there’s been so much time and better examples and code, I went back and did a major revision of the The Tenets of Tableau Templates on Multi-tenants which I highly advise everyone reading. It’s the most thorough explanation out there of how to correctly handle SaaS / Multi-Tenancy or Dev->Test->Prod promotion. And no, you do not need Interworks PowerTools to do this process, although they do have some nice features.

tableau_tools 4.0.0 is released!

I’m very excited to announce the release of tableau_tools 4.0.0, available now on GitHub and PyPi! tableau_tools is a single library to make administrating a Tableau Server and the content on that server as simple as possible. It is written in Python 2.7 with the aim to eventually become compatible with Python 3. It is also intended to server all versions of Tableau Server from 9.0 – current release.

The 4.0 release is almost a complete rewrite, with a focus on full implementation of the Tableau Server REST API through API Version 2.6, simplification of methods throughout, and advanced capabilities for publishing from templates. The capabilities of tableau_tools are beyond the current capabilities of the Tableau Server-Client Library and Document API, and I recommend you use it over them at this time.

4.0 is different enough from the previous versions that all previous versions of tableau_tools are now deprecated, and I will be removing their documentation from the website to remove any confusion.

There are plenty of example scripts included in the package, which you can see at GitHub…

The README is a full guide to using the library, and should be read when beginning. As before, tableau_tools was programmed using PyCharm and is designed to provide optimal code completion when using PyCharm. Your life will be a lot easier if you do.

tableau_tools README

A list of all the major changes, which won’t matter if you are just getting started:


Triggering Extract Refreshes with tableau_tools

If you have ETL processes that must run before your extracts can generate, it may make more sense to trigger an extract refresh (or the schedules) to run after the ETL has finished, rather than setting the extracts on a schedule. It maximizes your backgrounder processes by feeding their queues immediately when data is ready, and saves wasted effort if the ETL process fails.

As of Tableau Server version 10.0, there are no REST API commands to do this triggering, but tabcmd does have commands that can accomplish this. The tableau_tools Python library  has a Tabcmd class that wraps the most common tabcmd commands, including those for extract refreshes. Together with the tableau_rest_api sub-package, you can trigger off extract refreshes.

Note: Please use the latest version of tableau_tools (3.1.0+) to do the following.


Using IPsec to Encrypt Tableau Server Intra-node Communication

If you want to run Tableau Server in a cloud hosted environment, like AWS, you may have concerns about unencrypted traffic between the nodes of the Tableau Server. Of course, you will have configured the Tableau Server to use SSL for external communications, and configured the internal repository to communicate via SSL, but what about data server, the data engine, etc.?

The best method to protect all of that communication is to enable IPsec via the Windows Firewall with Advanced Security pane in the Administrative Tools of Windows Server. I’m no expert on these things, so any questions, comments or discoveries are very welcome, but this seems to work in a basic AWS test cluster. I’ve heard you can control all of this policy stuff from a domain controller rather than configuring each machine, so don’t take this as the only way to configure IPsec.


Tableau on Azure

“Tell us about Tableau on Azure”. “Does Tableau run on Azure?” There is probably no more confusing question at the moment, because the terminology for Microsoft Azure is unclear, and Microsoft have been making changes to both the technology and the nomenclature so quickly that it’s best to step back and understand the ways in which Tableau can interact with the Azure platform.

There are three different situations can fall under the “Tableau and Azure” moniker, all of which are possible:

  1. Tableau Server hosted on a Virtual Machine in Azure
  2. Tableau Desktop or Server connecting to the Microsoft run and operated Azure SQL Database
  3. Tableau Desktop or Server connecting to a database (often Microsoft SQL Server) on a hosted Virtual Machine in Azure

Tableau Server on a hosted VM

Much like AWS, Tableau Server can be run on a hosted VM in the Microsoft Azure cloud. Russell Christopher has done an excellent job of testing out the available VM and storage configurations available in Azure and making recommendations on what is necessary for good performance with Tableau Server. If you want to host Tableau Server on Azure, stop now and read Russell’s blog.

In virtualized environments, disk access / IOPS tends to be the biggest hidden issue for Tableau Server performance, particularly if you are using extracts. This is true of Azure, AWS, and also your internal VMWare configuration.

The official Tableau KB article on installing Tableau Server on Azure is now available here .

Tableau Desktop and Server connecting to Azure SQL Database

Here is where the wording gets fun (i.e. confusing). As if “SQL Server” wasn’t already a generic enough name, Microsoft refers to their managed and hosted cloud database, based on “SQL Server”, as “Azure SQL Database”. Internally, it is very similar to SQL Server, and as of Tableau 9.1, you simply connect via the standard Tableau native connector for Microsoft SQL Server. Put in your credentials, and you are good to go.

Tableau Desktop and Server connecting to a Microsoft SQL Server database on a hosted VM in Azure

You can also put a database (usually Microsoft SQL Server) on a hosted VM in Azure. Luckily, to Tableau Desktop and Server, the process for connecting is identical to that of any SQL Server connection: put in your credentials and viola!

Utilizing Tableau Server’s Search Server in an Embedded Portal

Tableau Server 9.0 has an amazing search functionality — if you type in values into the top search box, it looks across everything available in the Tableau Server instantly and brings back results incredibly quickly. It’s not any particular secret that the Search & Browse process is powered by Apache Solr/Lucene . It’s a blazing fast piece of technology that supports a lot of the instantaneous feel in Tableau Server 9.0 (the portal and the REST API also use Solr).

I was asked recently how to do some of the same search functionality that exists in Tableau Server 9.0, but in an embedded portal. Some of it is possible via the REST API, while other requests would require opening up the PostgreSQL Repository. I wasn’t even sure some of the requests were possible — yet when I typed into the multi-search box, it seemed to be searching across all of the attributes we were looking to tap into.