5 Replies Latest reply on Mar 1, 2017 1:02 AM by john harkin

    Trusted Authentication with Proxy Server

    Biyin Cai



      I'm trying to embed the Tableau reports to my web application. Below graph shows the the architecture of my web application. I have a public server/url that everyone has access to - 'app.com', and this intermediate server can access my internal servers where my web application and Tableau server is installed. I set up trusted authentication between the internal servers - 'app.internal.com' and 'tableau.internal.com' to generate an authentication ticket following this tutorial:



      However, the server-to-server call is placed between the two internal servers. I have the following questions:

      • Is this ticket only redeemable by 'app.internal.com'?
      • How can I redeem this ticket from the public/external server (i.e. 'app.com') so that my users can view the reports without logging in to the Tableau server? Note: I don't to set up the direct trusted authentication relationship between the internal Tableau server and the external server (app.com) since everyone can access the external server and security will be crashed.
      • How long is the ticket valid for?


      Any suggestions will be appreciated.




        • 1. Re: Trusted Authentication with Proxy Server

          Hey Biyin,


          I asked a colleague and here is his response:


          If app.com is just a proxy, everything should work just fine and Tableau Server don’t even need to know about proxy in front of it. Just make sure that users can access Tableau Server through app.com and proxy preserves “Host” header and adds “X-FORWARDED-PROTO” if SSL offloading is in use.


          This is how everything should work

          1. 1. User access page on “app.com” and request is handled by “app.internal.com”
          2. 2. App.internal.com requests a ticket on user’s behalf from tableau.internal.com
          3. 3. App.internal.com sends page to user via app.com. Among other things page contains Tableau Server URL with trusted tickets in it (i.e. http://tableauserver.app.com/trusted/12345/views/workbook/view?:embed=yes)
          4. 4. User’s browser goes to tableauserver.app.com, request relayed to Tableau Server.
          5. 5. Tableau Server recognizes ticket, creates a session and sends user a redirect to the actual page and cookie with session info.
          6. 6. User’s browser follows redirect link and pull data directly from the Tableau Server

          We don’t support scenarios where intermediate server redeems ticket on user’s behalf and pulls view from Tableau Server for user. It might or might not work, but we always expect end-user’s browsers to talk to Tableau Server (even if request is routed through several proxies)


          As of specific questions:

          • We don’t check who redeems the ticket unless client IP matching is enabled (http://onlinehelp.tableau.com/current/server/en-us/help.htm#trusted_auth_optional.htm). As long as we recognize ticket provided in the URL, session is created.
          • See above. If proxy preserves “Host” header and has “X-FORWARDED-PROTO” (when applicable), Tableau Server doesn’t even need to know about proxy
          • Ticket is valid for 3 minutes or 1 use. Once redeemed, session is subject to regular Tableau Server “idle” timeouts.
          • 2. Re: Trusted Authentication with Proxy Server
            Biyin Cai

            Hi Diego,


            Thank you so much for your reply. This solves my problem.


            I have another question about ticket redeem: if the report is embedded on a web page of my app and takes more than 3 minutes to load the whole report, is the ticket still redeemable? Does Tableau server return any error code? Also, after the ticket is redeem, for how long can the user view/interact with the report on my web page?



            • 3. Re: Trusted Authentication with Proxy Server

              Hey Biyin,


              The ticket is redeemed before we start to load the view so it should be okay if the page takes more than three minutes to load. If the ticket is invalid you'll receive a response which says that Tableau Server cannot locate an unexpired trusted ticket.


              As for timeouts, there are a few timeout settings which will affect usage of the viz.


              There is a standard vizqlserver timeout of 30 minutes which will drop all filter choices after 30 minutes of idle time.


              There is a timeout which will log you out after 240 minutes (by default).



              • 4. Re: Trusted Authentication with Proxy Server
                Biyin Cai

                Hi Diego,


                After 30 minute of idle time when all filter choices are dropped, the report session displays a Tableau Server Login Page when I click on the any of the filters (in app.external.com). Is there any way to display a time out error page or auto refresh instead of showing up a Tableau Login Page? I'm embedding the Tableau report into my web application so I don't want to expose the internal Tableau server to my users.


                Another question: what is the parameter that I can set for the timeout window for filter and log out?



                • 5. Re: Trusted Authentication with Proxy Server
                  john harkin


                  Its mentioned in response "Tableau Server doesn’t even need to know about proxy"  - why is this the case?

                  The "Configure a reverse proxy server" section of Configuring Proxies for Tableau Server  mentions settings such as gateway.trusted_hosts ... , why do they not need to be setup correctly in this scenario?

                  Thanks for your time.