1 2 Previous Next 16 Replies Latest reply on Sep 20, 2017 1:53 AM by Aravind N

    SSO Implementation for tableau Server

    Aravind N

      Hi Folks,

       

      I have requirement to implement a SSO for data source when a user is logging into a worksheet in tableau Server.

       

      i am aware of embed and prompt concepts in tableau while publishing, but in DB we have security model designed where we have a separate credentials for each and every individuals and hence we need a SSO design for data source in tableau server.

       

      Regards,

      Aravind

        • 1. Re: SSO Implementation for tableau Server
          Glen Robinson

          Hi Aravind.

          If you are using Active Directory and are using one of the following Data Sources, then you could enable Kerberos, and setup Delegation to the data source

          MS - SQL, MSAS, Oracle, Postgres, Hive/Impala, Teradata

           

          Enable Kerberos Delegation

           

          Hope this helps

          Glen

          • 2. Re: SSO Implementation for tableau Server
            Aravind N

            Hi Glen,

             

            Thanks for the quick response, am using Redshift as DB and my Tableau version is 10.0

             

            Will check and let u know.

             

            Thanks again.

            Aravind

            • 3. Re: SSO Implementation for tableau Server
              Aravind N

              Hi Glen,

               

              We are using Amazon redshift as backend and found some insights stating that third party tools like kerberos are not supported in it.

               

              Glen/Folks,

               

              Please let me know if anyone has implemented SSO using Amazon redshift in Tableau server..

               

              Regards,

              Aravind

              • 4. Re: SSO Implementation for tableau Server
                Glen Robinson

                Hi Aravind

                I know of no way of using SSO with Redshift.

                Is the reason you want SSO, so that you can have row level security for your data?

                If it is, then there are options around how to set this up within Tableau itself

                Create a User Filter and Secure it for Publishing

                All the best

                Glen

                • 5. Re: SSO Implementation for tableau Server
                  Aravind N

                  Hello Glen Robinson/folks,

                   

                  We have much users using the Tableau desktop and they can easily delete the User filters and hence we built security upon tables and hence we an SSO based on user authentication, since each and every user has an separate Credentials to access Data source.

                   

                  So my scenario is i don't want them to enter the DB credentials all the time they login and hence data source credentials should be merged with tableau sever credentials, so We thought to implement a SSO.

                   

                  I found a Tableau Doc stating that the kerberos can be used for the Onpremise severe only.. If please advice.

                   

                  Thanks

                  • 6. Re: SSO Implementation for tableau Server
                    Aravind N

                    Please note Our Tableau Sever is hosted on Amazon

                    • 7. Re: SSO Implementation for tableau Server
                      Glen Robinson

                      Hi Aravind

                      Kerberos can be used on any Tableau Server, as long *** the Tableau Server is part of a Windows Domain, and you are using Active Directory Authentication. Your server being in AWS shouldn't make any difference.

                       

                      Regarding User Filters; To stop Desktop Developers (or those using Web Authoring) from removing the Filters, add the filter as a Data Source Filter and then publish the Data Source to the Tableau Server. Then those connecting to the Data Source (via Tableau Server) will have the filter applied, and they will be unable to remove it. (See bottom part of article that I linked to previously)

                       

                      Hope this helps

                      Glen

                      • 8. Re: SSO Implementation for tableau Server
                        Aravind N

                        Hi Glen,

                         

                        Great thanks for your continued response, In desktop Data-> data source Filter , we can remove these data source filters.

                         

                        But this is fine since we have handled those securities with the Data Source.

                         

                        Keberos authentication is what i am thinking to implement SSO for Data source Credentials.

                         

                        WIill update after a try.

                         

                        Thanks again,

                        Aravind

                        • 9. Re: SSO Implementation for tableau Server
                          Glen Robinson

                          Hi Aravind

                          If you publish the Data source to the Server (with the user filter added), then those connecting to the Data Source (via Tableau Server) do not have the ability to remove the filter. (See below)

                          Kerberos Authentication will give you SSO into your Tableau server, but I dont see how it will allow you sign on to your Data Source (Redshift)  as it isnt a supported option

                          Regards

                          Glen

                          • 10. Re: SSO Implementation for tableau Server
                            Aravind N

                            User filter would be solution if it is added to Web, but in my case most of the users are using desktop and they can download the workbook and without even entering into data source they can delete the filter without connecting to DS pane by using option Data- > select data source -> remove data source filter.

                             

                            We wanna implement make a link for Tableau server with redshift for authentication. Is there any way with Windows NT authentication? .. Will tableau server AD connect, is supported by redshift  so that i can have get some idea...

                             

                            Thanks for ur constant reply

                             

                            Aravind

                            • 11. Re: SSO Implementation for tableau Server
                              Glen Robinson

                              Hi Aravind

                              1. I don't know of a way of using Windows Authentication with Redshift.

                              2. To mitigate the issues you describe, you can do the following.

                                          Connect to the Data Source, and add the 'user filter' as a Data Source Filter

                                          Publish the Data Source to the Tableau Server as a Published Data Source

                                          Build Workbooks that use this Published Data Source (and not a direct connection to the Data source).

                               

                              This means that even if someone downloads the workbook, or downloads the Published Data Source, or connects to the Published Data Source, they will not be able to remove the user filter.

                               

                              Hope this clarifies things

                              All the best

                              Glen

                              • 12. Re: SSO Implementation for tableau Server
                                Steve Tyrrell

                                Hello Glen,

                                I'm am currently trying to implement Kerberos Delegation for Oracle, and am unable to get delegation to the datasource to work.  Kerberos works fine for the initial login from a client to Tableau Server, but the "second hop" delegation to the datasource does not pass the credentials.  I see in your first post to Aravind that you mention Oracle as one of the DB's that is supported for delegation.  However, It's not mentioned as a supported datasource in the linked document, and Tableau support has told me that delegation does not currently work for Oracle datasources.

                                Have you been able to get delegation to an Oracle datasource working?  It is critical for me to be able to pass the credentials of the user to Oracle for security reasons.  Any help would be much appreciated!

                                Steve

                                • 13. Re: SSO Implementation for tableau Server
                                  Glen Robinson

                                  Hi Steve

                                  I havent enabled Kerberos Delegation for Oracle myself, but here are the article I have found on it.

                                   

                                  https://onlinehelp.tableau.com/current/server/en-us/kerberos_oracle.htm

                                   

                                  Enable Kerberos Delegation

                                   

                                  All the best

                                  Glen

                                  • 14. Re: SSO Implementation for tableau Server
                                    Steve Tyrrell

                                    Hey Glen,

                                     

                                    Unfortunately this just addresses enabling Kerberos, not Kerberos Delegation (for Oracle).   I was hoping you had the Holy Grail!  Back to the drawing board.

                                     

                                    Thanks for the response though,

                                     

                                    Steve

                                    1 2 Previous Next