As a Tableau Server admin, you can register one or more external authorization servers (EASs) to establish a trust relationship between your Tableau Server and the EAS using the OAuth 2.0 standard protocol.
Important:
The trust relationship between your Tableau Server site and external application is established and verified through an authentication token in the JSON Web Token (JWT) standard.
When embedded Tableau content is loaded in your external application, Authorization Code Flow, OAuth flow is used. After users successfully sign in to the IdP, they are then automatically signed in to Tableau Server. Follow the steps described below to register your EAS with Tableau Server .
Key components of a connected appThe following components of the connected work together with the JWT in your external application to authenticate users and display embedded content.
External authorization server (EAS): The server, typically your IdP, that functions as the interface between the user and the external application. The server authenticates and authorizes user access to the protected Tableau content.
Issuer URL: The URL that uniquely identifies the EAS instance.
The diagram below illustrates how authentication works between your external authorization server (EAS), external application (web server and webpage), and Tableau connected app.
User visits the webpage: When a user visits the embedded content on a webpage, the webpage sends a GET request to the external application.
External application redirects request to EAS: External application responds with a webpage that redirects to the external authorization server (EAS).
User authenticates with EAS: User authenticates and authorizes with the EAS.
EAS responds to webpage with authorization code: The EAS responds to the page with an authorization code and redirects back to the webpage.
EAS converts authorization code to JWT: Webpage calls the EAS to convert the authorization code to a JWT, which the webpage puts into the embedded contentâs URL.
Webpage requests content from Tableau: Webpage loads the iFrame and sends a GET request to Tableau.
Tableau validates the token: Tableau validates the JWT in the URL with the signature and responds with the content and respects the embedding scopes defined in the JWT.
To register an EAS with Tableau Server , you must have an EAS already configured. In addition, the EAS must send a valid JSON Web Token (JWT) that contains the registered claims and header listed in the table below.
Claim Name Description or required value "kid" Key ID Required (in header). A unique key identifier from the identity provider. "iss" Issuer Required (in header or as a claim). Unique issuer URIthat identifies the trusted connect app and its signing key. "alg" Algorithm Required (in header). JWT signing algorithm. Supported algorithm names are listed in the Class JWSAlgorithm(Link opens in a new window) page in the javadoc.io documentation. The signing algorithm can be configured using the vizportal.oauth.external_authorization_server.blocklisted_jws_algorithms command. "sub" Subject User name of the authenticated Tableau Server user. "aud" Audience
Value must be: "tableau"
exp" Expiration Time A valid JWT must not be expired. The expiration time (in UTC) of the JWT must be within the configured maximum validity period. Maximum validity period can be configured using vizportal.oauth.external_authorization_server.max_expiration_period_in_minutes command. "jti" JWTÂ ID The JWTÂ IDÂ claim provides a unique identifier for the JWT and is case sensitive. "scp" Scope
For embedding workflows, supported values include:
"tableau:views:embed"
"tableau:views:embed_authoring" (Added in Tableau Server 2022.3)
"tableau:metrics:embed" ( Retired in Tableau Server 2023.3 )
"tableau:ask_data:embed"( Added in Tableau Server 2023.1. Will be retired in Tableau Server 2024.2)
Notes:
tableau:views:embed, the scope respects usersâ permissions already configured in Tableau Server and allows users to interact with the tools in the embedded view if available in the original view.For RESTÂ API authorization workflows, see REST API methods that support JWTÂ authorization.
For Metadata API workflows that use the REST API for authentication, the only supported scope is tableau:content:read.
https://tableau.com/groups Dynamic group membership For embedding workflows only.
Value must match the name of one or more groups in Tableau Server. For more information, see Dynamic group membership (embedding workflows only) section below.
(User attributes) (User attribute values)For embedding workflows only.
Starting in Tableau Server 2025.1, you can include user attributes in the JWT. Then when user attribute functions are used in embedded content, Tableau checks the authenticated userâs context and determines what data can display at runtime.
Notes:
Check the Tableau Embedding API v3(Link opens in a new window) Help for known issues and limitations that might affect your workflow.
Note: The JWT claims above are documented in the Registered Claim Names(Link opens in a new window) section in the documentation distributed by the Internet Engineering Task Force (IETF) organization.
Step 2: Register your EAS with Tableau ServerBy registering your EAS with Tableau Server, you establish a trust relationship between the EAS and Tableau Server. This means when users access Tableau content embedded in your external application, they are redirected to authenticate with the IdP. The EAS generates the authentication token, which is passed to Tableau Server for verification. After the trust relationship is verified, access to the embedded content is granted users.
Note: Some EAS support the option to display a consent dialog that asks for usersâ approval for the application to access Tableau content. To ensure the best experience for your users, we recommend you configure your EAS to automatically consent to the external applicationâs request on usersâ behalf.
About site-level EASBeginning in Tableau Server 2024.2, you can configure site-level EAS. To register an EAS at the site-level, connected apps must be enabled in Tableau Server Manager (TSM).
There are two ways you can register server-wide EAS: using the TSM web UIÂ or using TSMÂ CLI.
After registering the EAS, the established trust relationship applies to all sites on Tableau Server.
Option 1:Â Using TSM web UIAs a Tableau Server admin, sign in to the Tableau Services Manager (TSM) web UI. For more information, see Sign in to Tableau Services Manager Web UI.
Do one of the following:
In Tableau Server 2024.2 and later, navigate to User Identity & Access page > Connected Apps tab.
In Tableau Server 2023.3 and earlier, navigate to User Identity & Access page > Authorization Server tab.
In Tableau Server 2024.2 and later:
Select the Enable connected apps check box.
Select the second radio button, Allow connected apps (configure at site level) and server-wide OAuth 2.0 trust (configure below).
In the Issuer URL text box, paste the issuer URL of the EAS.
Click the Save Pending Changes button.
In Tableau Server 2023.3 and earlier:
Select the Enable OAuth access for embedded content check box.
In the Issuer URL text box, paste the issuer URL of the EAS.
Click the Save Pending Changes button.
In the upper-right corner of the page, click the Pending Changes button.
In the bottom-right corner of the page, click the Apply Changes and Restart button to stop and restart Tableau Server.
Run the following commands:
tsm configuration set -k vizportal.oauth.external_authorization.enabled -v true tsm configuration set -k vizportal.oauth.external_authorization_server.issuer -v "<issuer_url_of_EAS>" tsm restart
Beginning in Tableau Server 2024.2, you can register one or more EASs for a site. After registering the EAS at the site level, the established trust relationship applies to the site only.
Note:Â A prerequisite to configuring site-level EAS is that connected apps is enabled in TSM.
Step 1: Enable connected appsAs a Tableau Server admin, sign in to the Tableau Services Manager (TSM) web UI. For more information, see Sign in to Tableau Services Manager Web UI.
Navigate to User Identity & Access page > Connected Apps tab.
Select the Enable connected apps check box.
Do one of the following:
Select the first radio button, Allow connected apps (configure at site level) to enable registering EASs at the site-level only.
(Default) Select the second radio button, Allow connected apps (configure at site level) and server-wide OAuth 2.0 trust (configure below) to enable registering EASs at both the site-level and server-wide. If you choose this option, ensure the issuer URL specified at the site-level is different from the server-wide issuer URL.
Click the Save Pending Changes button.
In the upper-right corner of the page, click the Pending Changes button.
In the bottom-right corner of the page, click the Apply Changes and Restart button to stop and restart Tableau Server.
As a Tableau Server admin, sign in to Tableau Server.
From the left pane, select Settings > Connected Apps.
Click the New Connected App button drop-down arrow and select OAuth 2.0 Trust.
In the Name text box, enter a name for the connected app.
In the Issuer URL text box, paste the issuer URL of the EAS.
Select the Enable connected app. For security purposes, a connected app is set to disabled by default when created.
When finished, click the Create button.
After the connected app is created, copy the connected appâs site ID. The site IDÂ is used for the JWT's "aud" (Audience) claim described in Step 1 above.
After configuring Tableau Server to use your EAS, you must add embed code to your external application. Ensure that you include the valid JWT generated by your EAS, as described in Step 1, in the web component that your external application calls.
For more information about embedding Tableau content, see one or both of the following:
Note: For users to successfully authenticate when they access embedded content, browsers must be configured to allow third-party cookies.
Control where content can be embedded using domain allowlist for embeddingStarting in Tableau Server 2023.3 , you and your users can control whether Tableau content can be embedded without restriction or restricted to certain domains using the Update Embedding Settings for Site method in Tableau REST API.
By default, the unrestrictedEmbedding site setting for embedding is set to true to allow unrestricted embedding. Alternatively, you and your users can set the setting to false and specify the domains where Tableau content in external applications can be embedded using the allowList parameter.
For more information, see one or both of the following:
After the JWT has been configured, you must add the valid JWTÂ to the RESTÂ API Sign In request for authorized access. For more information, see Access Scopes for Connected Apps.
For Metadata API workflowsAfter the JWT has been configured, you must add the valid JWT to the RESTÂ API Sign In request. For more information, see Access Scopes for Connected Apps.
Manage a connected app Dynamic group membership (embedding workflows only)Beginning in Tableau Server 2024.2 , if connected apps are configured and the capabilityâs setting is enabled, you can dynamically control group membership through custom claims included in the JWT sent by the external application.
When configured, during user authentication, the external application sends the JWT that contains two custom claims for group membership: group (https://tableau.com/groups) and group names (for example, "Group1" and "Group2") to assert the user into. Tableau validates the JWT and then enables access to the groups and the content whose permissions are dependent on those groups.
For more information, see Dynamic group membership using assertions.
Known issues (embedding workflows only)There are a couple of known issues when using connected apps that will be addressed in a future release.
Toolbar features: When embedded content has the toolbar parameter defined, not all toolbar features will work. To work around this issue, we recommend you hide the toolbar parameter like in the example below.
<tableau-viz id='tab-viz' src='https://<your_server>/t/<your_site>/...' toolbar='hidden'> </tableau-viz>
Published data sources: Published data sources set to Prompt User for database credentials will not display. To work around this issue, if possible, we recommend data source owners embed their database credentials instead.
When embedded content fails to display in your external application or Tableau RESTÂ APIÂ authorization fails, you can use a browserâs developer tools to inspect and identify error codes that might be associated with the EAS feature enabled on Tableau Server .
Refer to the table below to review the description of the error code and potential resolution.
Error code Summary Description Potential resolution or explanation 5 SYSTEM_USER_NOT_FOUND Tableau user could not be foundsub' (Subject) claim value in the JWT is "username" for the authenticated Tableau Server. This value is case sensitive. 16 LOGIN_FAILED Login failed This error is typically caused by one of the following claim issues in the JWT:
exp' (Expiration Time) exceeds the default maximum validity period. To resolve this issue, review registered claims(Link opens in a new window) required for a valid JWT and ensure the correct value is used. To change the maximum validity period, you can use the vizportal.oauth.external_authorization_server.max_expiration_period_in_minutes command.sub' (Subject) is calling an unknown user. To resolve this issue, verify the 'sub' claim is "username". This value is case sensitive.kid' (Secret ID) or 'clientId' (Issuer) claims are missing from the JWT header. To resolve this issue, ensure this information is included. 10084 JWT_PARSE_ERROR JWT contains issues To resolve this issue, verify the following:
aud' (Audience) value referenced in the JWT uses the "tableau" value. This value is case sensitive.aud' (Audience) and 'sub' (Subject) are included in the JWT.To resolve this issue, verify the correct issuer is being called. To change the issuer URL, you can use the vizportal.oauth.external_authorization_server.issuer command.
10087 BLOCKLISTED_JWS_ALGORITHM_USED_TO_SIGN Issue with the JWTÂ signing algorithm To resolve the issue, you can remove the signing algorithm. For more information, see vizportal.oauth.external_authorization_server.blocklisted_jws_algorithms. 10088 RSA_KEY_SIZE_INVALID Issue with JWT signing requirements To resolve this issue, verify with the EASÂ or IdP the JWT is being signed with an RSA key size of 2048. 10091 JTI_ALREADY_USED Unique JWTÂ required The JWTÂ has already been used in the authentication process. To resolve this issue, the EASÂ or IdPÂ must generate a new JWT. 10092 NOT_IN_DOMAIN_ALLOW_LIST Domain of the embedded content is not specified To resolve this issue, ensure theunrestrictedEmbedding setting is set to true or domainAllowlist parameter includes the domains where Tableau content is embedded using the Update Embedding Settings for Site(Link opens in a new window) method in the Tableau REST API. 10094 MISSING_REQUIRED_JTI Missing JWTÂ ID To resolve this issue, verify the 'jti' (JWT ID) is included in the JWT. 10096 JWT_EXPIRATION_EXCEEDS_CONFIGURED_EXPIRATION_PERIOD Â The ' exp' (Expiration Time) exceeds the default maximum validity period. To resolve this issue, review registered claims(Link opens in a new window) required for a valid JWT and ensure the correct value is used. To change the maximum validity period, you can use the vizportal.oauth.external_authorization_server.max_expiration_period_in_minutes command. 10097 SCOPES_MALFORMED Issues with scopes claim This error can occur when the 'scp' (Scope) claim is either missing from the JWTÂ or not passed as a list type. To resolve this issue, verify 'scp' is included in the JWT and passed as a list type. For troubleshooting help with a JWT, see Debugger(Link opens in a new window) on the auth0 site. 10098 JWT_UNSIGNED_OR_ENCRYPTED JWTÂ is unsigned or encrypted Tableau does not support an unsigned or encrypted JWT. 10099 SCOPES_MISSING_IN_JWT Missing scopes claim The JWTÂ is missing the required 'scp' (Scope) claim. To resolve this issue, verify 'scp' is included in the JWT. For troubleshooting help with a JWT, see Debugger(Link opens in a new window) on the auth0 site. 10100 JTI_PERSISTENCE_FAILED Unexpected JWTÂ IDÂ error There was an unexpected error with the 'jti' (JWT ID). To resolve this issue, a new JWTÂ with a new 'jti' must be generated. 10103 JWT_MAX_SIZE_EXCEEDED JWT exceeds maximum size This error can occur when JWT size exceeds 8000 bytes. To resolve this issue, make sure that only the necessary claims are being passed to Tableau Server.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4