7 Replies Latest reply on Jun 4, 2015 9:13 AM by Andres Parra

    Trusted Authentication with Proxy

    . vsathu



      Here is the scenario.


      1) Setup

      TableauPrimaryServer and AppServer hosted in intranet.

      F5 & WebServer for the AppServer in DMZ zone


      Users are external and request will pass as  UserBrowser->F5->WebServer->AppServer.

      F5 acts as a proxy does a NAT and assigns an internal IP. Passes the actual browserIP in a httpheader.



      2) Sequence

      AppServer gets the brwoserIP from httpheader and requests a token. Redirects to TableauServer with the Token in URL.

      F5 intercepts again does NAT and forwards to TableauServer.


      3) Question

      I notice Tableau sees the internal IP and not the browserIP . Can this be forced ?




        • 1. Re: Trusted Authentication with Proxy
          James Baker

          The proxy needs to add two headers: X-FORWARDED-FOR which is the client ip address, and X-FORWARDED-HOST which is the original request host (this is whatever the user/client typed into their browser).


          Your Tableau Server needs these settings (use "tabadmin set", see your Admin Guide): gateway.trusted should be set to the ip address of the proxy, and gateway.public.host should be set to the hostname of the proxy. This is the externally visible hostname, as one might type it into a browser.


          Optionally, you can also set gateway.trusted_hosts to a comma-separated-list of alternate names for the gateway.public.host above (non fqdn, aliases).


          I don't think that the trusted ticket authentication complicates the scenario too much.  The headers added by the proxy need to be on the request from the user that validates/redeems the trusted ticket ID.

          • 2. Re: Trusted Authentication with Proxy
            . vsathu

            Thanks James.

            Will try that out.

            • 3. Re: Trusted Authentication with Proxy
              guest contributor

              Can an embedded document from the server page be accessed by passing the windows authentication on the server side?


              My tableau server uses the windows authentication to provide the access. I have a report in the server that I wanted to embed into a web application that uses the windows login. At present if the user wanted to access the chart in the embedded page - he / she has to type the windows login twice - one for the apps and the other for the chart. Is there any way in Tableau where we can bypass the second login request to the Tableau server?

              • 4. Re: Trusted Authentication with Proxy
                James Baker

                Yes, this is the primary purpose of "trusted authentication".  It involves Tableau Server trusting your web application server to request 'tickets' for authenticated users and then use the ticket URLs to show pre-logged-in views.  See the examples in the "extras" folder installed with Tableau Server, and other discussions on the forums.

                • 5. Re: Trusted Authentication with Proxy
                  guest contributor

                  Hello James,

                  I have a question on LDAP authentication.  Is it possible to use LDAP authentication in v. 5.2.  Also, I tried to use the trusted authentication where the user already existis in the system.  I am passing the token using the Tableau special URL.  However, I am getting the login screen again. Did you experience this issue?

                  • 6. Re: Trusted Authentication with Proxy
                    James Baker

                    Nope, LDAP (distinct from Active Directory) isn't supported in Server currently.  I'm not sure what your specific issue is with trusted auth - it can be a bit tricky to get right sometimes, and Support can help with that.

                    • 7. Re: Trusted Authentication with Proxy
                      Andres Parra

                      Hi James, Can you reply this question please?


                      Trusted Authentication with Proxy Server