#2 sounds really interesting to me. Tell me more! (#3 will be in Tableau 8).
Well, the steps would be easy for LDAP authentication. In case of Tableau Server 8, the steps are:
- Add LDAP server configuration parameters to config\application.rb (CN search path, bind options, server url)
- Add https://github.com/jruby/jruby-ldap under libs. Optionally I could create a rails plugin and put under vendor
- Add a dropdown list for authentication types in the logon screen. This should be done in app\views\shared\_login.html.erb
- As in Tableau 8 I cannot modify the controllers directly, I should put this LDAP related dropdown result into the form url. This will help to redirect in case of LDAP the request to my own controller, by adding this new URI pattern to config/routes.rb
- Here I should implement my authentication, and in case of problems add a redirect to the logon page, and fill all the required variables to show the error messages according the related erb views
- Now by using ldap module, controller should to authenticate the user (user will be substituted in template CN string)
- And now comes the tricky part, if the user and pass are correct, I should log my user in. There are two options, first it to reverse engineer the auth controller, second is to obtain a trusted ticket from localhost, and redirect the user to that location.
I think it will be a good exercise to check how to add new features to tableau 8.
Finally it works, it could be better, but at least allows users to log on:
The solution has some constraints, like:
- In all cases user must exists in Tableau Server. So, if you log on with your kerberos user, the username before the @ sign must be a real tableau user. For LDAP the username substitute should be also a real tableau user.
- In case of LDAP, the admin must provide the DN mask for authentication like (&(objectclass=person) (sAMAccountName=##LDAP_LOGIN##)) . ##LDAP_LOGIN## will be substituted by the user provided username
- In case of kerberos the admin must configure the java kerberos security things and provide a valid krb5.ini. No tricks here
- I did not tested with original WinAD authentication, maybe it has no affect but who knows
The biggest challenge was that in Tableau 8.0 the files are obfuscated differently than in 7.0, so in several place I must workaround a lot of things. Like I cannot really use I18n module for internationalization since I don't know what is going on inside the auth controller. I would set the auth.login.label.field.authtype but still have no idea where can I do that.
My question is, what are my options if I would release this exercise? I modified several files from the installation, and it is still not clear what can be released and how. The Tableau license prohibits any modification or reverse engineering of the code, thus that's a great question from my side.
So, Tableau guys?
Hey Tableau guys. I have still the same question. I would like to release my addons to Tableau including LDAP/Kerberos/CA SiteMinder authentication modules, direct Crystal Reports rendering in tableau server and other stuffs.
Could you tell me what are my options? Or whatever I do I cannot resell/implement at my customers?
I would just post them either here on on a personal blog.
The problem (as you stated) here is that you are modifying Tableau Server (for example, the login dialog definition), which is officially prohibited.
Above and beyond the licensing issues, any changes to the base distro we lay down renders the machine unsupportable as far as Product Support is concerned. Unless the configuration has been tested, it's not supported.
Can't you get where you need to go with the lightest of hacks to the login page and enabling persistent tickets on the Tableau server? What if you put a redirect on the login page to take you to your custom login page? You can do a whole lot of application logic between a custom login page and the issuance of a ticket.
As Russell said, we can support that officially but many customers will choose a light hack that is not supported in order to deliver functionality the enterprise demands.
My guess is that you'll see an out of the box ability to specify a custom login page upon session expiration/invalidation in the future some time (not 8 it seems).
How were you able to achiever Tableau Server integration with Siteminder SSO?
We are trying to do the same, but there has been a lack of understanding.
So, any inputs/help would be great.