2 Replies Latest reply on Sep 14, 2018 1:43 PM by Bridget Moody

    Tableau Mobile App with Conditional Access issue using SAML authentication

    venkat iyer

      Hi All,

       

      We have encountered an issue while accessing the Tableau Server via Tableau Mobile when Microsoft Azure AD (SAML identity provider) conditional access is enabled. Your valuable inputs is highly appreciated.

       

      What is conditional access

      Conditional access is mandatory security requirement for us where only enrolled devices can access applications when externally outside the firm's network, this way the mandatory regulatory requirement of MFA can be met (Multi-Factor Authentication) and communication between Tableau server and client through reverse proxy is secured as per our group data governance guidelines

       

      I've outlined the workflow of the user login process below for each scenario when conditional access is and is not enabled:

       

      Conditional Access disabled

      When accessing Tableau Server via Tableau Mobile without conditional access, the following high level steps take place:

      1. Tableau Mobile client tries to access Tableau Server via the reverse proxy URL
      2. Tableau Server redirects the user to SAML idp (AzureAD).
      3. Tableau Mobile client understands the redirect, displays login/password screen from SAML idp.  Snippet of Tableau Mobile log file:

        style="margin-top:auto;margin-bottom:auto;margin-left:.5in"

       

      Conditional Access enabled

      When accessing Tableau Server via Tableau Mobile with conditional access, the following high level steps take place:

      1. Tableau Mobile client tries to access Tableau Server via the reverse proxy URL
      2. Conditional Access rules require user to be authorized to access Tableau Server (reverse proxy) and redirects user to OAuth2 sign-in page
      3. Tableau Mobile client does not understand redirect and displays error. 

      Snippet of Tableau Mobile log file:

      SendRequest: received response.StatusCode: OK for request.RequestUri: https://login.microsoftonline.com/3b1f6e50-bc99-4b75-a40f-f5023063433c/oauth2/authorize? ...

      OnError: Cannot connect to this server. Contact your administrator to make sure it is online.

       

      Observation

      When conditional access is disabled, Azure AD authenticates the user on behalf of Tableau Server and Tableau Server then authorizes what that user is allowed to see (e.g., Dashboard, data sources, etc.). Instead, when conditional access is enabled, access to Tableau Server's reverse proxy itself is not allowed until the user is authorized.  And the Tableau Mobile app doesn't seem to support this requirement.