3 Replies Latest reply on Mar 15, 2017 2:02 PM by Matt Coles

    Trusted Authentication when using SAML

    Nicholas Roth

      I'm trying to get vizalerts setup so I can help in adding Slack support. However, we currently use SAML for authentication, and I'm not seeing in the Tableau or VizAlerts documentation how I would go about handling the Trusted Authentication setup. When configuring to use a valid tableau user login, I see:

       

      UserWarning generating trusted ticket: Error generating trusted ticket. Value of ticket is -1. Please see http://onlinehelp.tableau.com/current/server/en-us/trusted_auth_trouble_1return.htm Request details: Request details: Server: tableau.<our domain>.com, Site: , Username: <valid user>, Url: https://tableau.<our domain>.com/trusted, Postdata: username=<valid user>.

       

        • 1. Re: Trusted Authentication when using SAML
          Matt Coles

          Trusted auth is an internal mechanism generally designed for third-party apps to authenticate directly to Tableau Server, with the expectation that the app itself is handling authentication properly on its own end. An example might be some custom authentication to a web portal which needs to display a viz to whatever end user should have access to it based on the custom auth and whatever access rights the app defines. The user would log into the web portal, and the back-end code driving it would then trun around and request the viz from Tableau Server using trusted authentication ticket. Tableau Server is configured to "Trust" the host serving the web portal app, so it provides the ticket, which the portal app then "redeems" to serve the content to the end user.

           

          VizAlerts is a bit different in that it doesn't actually need to do any "authentication" for end users, because it's talking directly to the PostgreSQL database that contains all the metadata about Tableau Server content. If a user has already created a viz, or a subscription, then they'd have had to have been authenticated by Tableau Server already in order to do so. So we already know that (a) they are who they say they are and (b) they had rights to do what they did. The only real reason VizAlerts is using trusted tickets is because it's the only way to generate content from Tableau Server while impersonating an arbitrary user (the Server REST API does not yet support this).

           

          tldr; Using SAML as the Tableau Server auth mechanism should work fine with VizAlerts. Trusted tickets is its own thing. You'll need to set trusted tickets as per page 6 of the Install Guide. Make sure to follow each step in that guide as carefully as you can--the vast majority of issues people experience is because they did not do so.

          • 2. Re: Trusted Authentication when using SAML
            Nicholas Roth

            Thank you for clearing up my uncertainty around SAML and its effect with authentication. When looking further at the reasons for the error, it appears that the hostname we provided is not resolved correctly on the tableau server, as it is with our linux servers.

             

            After a bit more trudging through, I was able to get an initial subscription working via email. This was the hard part, adding slack support will be super easy in comparison. I hope to share a branch for feedback within the next week or two, but will have to include some additional modifications to better handle paths for use on linux. I'm also running this as a docker container, so I may include that as well, which provides a simple container for all the dependencies.

            • 3. Re: Trusted Authentication when using SAML
              Matt Coles

              Glad to hear it! And thanks in advance for your contributions!