3 Replies Latest reply on Oct 4, 2018 7:50 AM by Steve Martin

    WebSEAL (TAM 6.1) and Tableau Server SSO integration

    Arvind Kumar

      Hi Tableau Community Team,

       

      I am happy to joining this group and seeking suggestion on WebSEAL (TAM 6.1) and Tableau Server SSO integration, basically i am stuck on this SSO integration wherein the customer requirement is to enabled Form based authentication for Tableau users from IBM product WebSEAL, the users whos are not in customer network or accessing the Tableau from Internet should able to SSO and authenticated from WebSEAL.

      In order to accomplish this integration, I did not find any formal document which contains the information about tableau to achieve this, so we have started this and added WebSEAL ips in tableau trusted configuration. so Tableau started to accepting the requests from WebSEAL.

      so first we have created standered junction on WebSEAL, which doesn't work. then we have created virtual host junction on WebSEAL to connect with Tableau Server, in both the junctions types we got the same error behavior HTTP/1.1 401 Unauthorized. so in related to it i have mentioned queries, please suggest.

       

      1. Does Tableau server supports WebSEAL integration?

      2. if Tableau Server supports then What are the changes mandatory in tableau to achieve this SSO integration with WebSEAL?

      3. What types of junction would be applicable if this kind of integration is running in your landscape? actually we tried both the junction types (standered and virtual host) but the outcome came in error as HTTP/1.1 401 Unauthorized.

      4. Please suggest if any of the formal document is available.

       

       

      our architecture looks like below.

       

       

      your suggestion would really appreciated please.

       

      Regards

      Arvind Kumar

        • 1. Re: WebSEAL (TAM 6.1) and Tableau Server SSO integration
          Justin D'Cruze

          Don't think Webseal integration is supported out of the box, but may be possible as we have implemented something similar in the past.

          I'd recommend a different approach such as SAML if that is an option, because this set-up was quite complicated to get working right.

           

          Assuming all the network infrastructure including Webseal is set-up correctly, you may still need to do the following:

           

          1. Tableau can't use IV_USER directly for automatic signon, so need to write a web app which will extract the IV_USER and pass the username through to Tableau in the required format for trusted authentication - this app needs to sit on a trusted web server

           

          2. Add ALL servers that will communicate with Tableau Server into the trusted_hosts

          See Trusted Authentication for detailed info on point 1 and 2.

           

          3. If you do use trusted tickets and the users need to be able to browse the portal (and not just access embedded views), then the unrestricted_ticket setting needs to be changed as per this link Login Prompt When Embedding Tableau Server | Tableau Software

          • 2. Re: WebSEAL (TAM 6.1) and Tableau Server SSO integration
            Arvind Kumar

            Hi Justin,

             

            thanks for your response.

             

            1. Tableau can't use IV_USER directly for automatic signon, so need to write a web app which will extract the IV_USER and pass the username through to Tableau in the required format for trusted authentication - this app needs to sit on a trusted web server

             

            [Arvind]- We are sending a request from WebSEAL in required Tableau format through standered junction and we have stopped iv_user.

             

            Username: Domain\ABCD  wherein ( Domain is ad domain and ABCD is just user example)

            Target Site: Vendor   ( using Vendor as site name for example)

             

            Request is successfully hitting  to Tableau Server from WebSEAL and throwing below an error in response from Tableau. is there any other way that Tableau can extract the user identity without Web-app and how the Tableau can ensure that request is reaching to Tableau because in WebSEAL logs can see the Tableau response. will there be any log file which can sure us that WebSEAL HTTP post request is reaching to Tableau?

             

            WebSEAL HTTP Post Request:-

             

            2018-06-08-11:59:06.242+12:00I----- thread(7) trace.pdweb.debug:2 s:\amweb610\src\pdweb\webseald\ras\trace\debug_log.cpp:134: ----------------- PD ===> BackEnd ----------------- (Post request from WebSEAL to Tableau)

             

            Thread_ID:16064

            GET /loc/en.json?a37dj86geudp656ha2zpsnhfr HTTP/1.1

            accept: application/json, text/plain, */*

            accept-language: en-US,en;q=0.8

            connection: close

            host: tableau.domain.local

            referer: https://xyz.com/

            user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.66 Safari/537.36

            via: HTTP/1.1 WebSEALIP:443

            username: domain\ABCD

            iv_server_name: tableau-webseald-ws-a.domain.local

            target_site: Vendor

            Cookie: PD-S-SESSION-ID=2_psRXzQC-8oF1GnqfO6ZKwHlQ+wAsHNHkyZd67DEUxbcgpUqA; IV_JCT=%2F

             

            Error Response from Tableau-

             

            2018-06-08-12:01:47.344+12:00I----- thread(15) trace.pdweb.debug:2 s:\amweb610\src\pdweb\webseald\ras\trace\debug_log.cpp:178: ----------------- PD <=== BackEnd ----------------- (Response from Tableau to WebSEAL)

            Thread_ID:2428

            HTTP/1.1 401 Unauthorized

            connection: close

            content-length: 35

            content-type: application/json;charset=UTF-8

            date: Fri, 08 Jun 2018 00:01:46 GMT

            p3p: CP="NON"

            server: Tableau

            x-content-type-options: nosniff

            x-ua-compatible: IE=Edge

            x-tableau: Tableau Server

            x-xss-protection: 1; mode=block

            cache-control: private, max-age=0, must-revalidate

            pragma:

            Set-Cookie: workgroup_session_id=""; Path=/

            Set-Cookie: XSRF-TOKEN=hnHOsuwC1N4EDHxB3a0JC5Wt4uMLEBdQ; Path=/

             

            We had also changed the context from root to /trusted but got same above error.

            ---------------------------------------------------

             

             

            2. Add ALL servers that will communicate with Tableau Server into the trusted_hosts

            See Trusted Authentication for detailed info on point 1 and 2.

             

            [Arvind]- yes, this configuration has been done from Tableau perspective.

             

            3. If you do use trusted tickets and the users need to be able to browse the portal (and not just access embedded views), then the unrestricted_ticket setting needs to be changed as per this link Login Prompt When Embedding Tableau Server | Tableau Software

             

            [Arvind]- yes, unrestricted_ticket has been enabled from Tableau.

             

            we do have TFIM IDP provider for SAML authentication in landscape, so what are the prerequisite required from Tableau Side to accomplish this SAML authentication? In this scenario, TFIM will play a role as identity provider to generate a SAML token and Tableau will be service provider.

             

            Regards

            Arvind Kumar

            • 3. Re: WebSEAL (TAM 6.1) and Tableau Server SSO integration
              Steve Martin

              Arvind,

               

              I wanted to reach out to you to see if you were ever able to get WebSeal to complete the Tableau SAML process.

               

              I am working with another customer that is also trying to get WebSeal to work correctly with Tableau.  I would appreciate any information you might be willing to share.

               

              Thanks and regards,

              Steve Martin

              Technical Account Manager

              Tableau