Tutorial: Configuring Okta as Oauth2 SSO Authorization Server for Tableau Embedded Content

  1. User visits your “web portal front end” that contains some Tableau content (e.g. a dashboard that we will refer here as “viz”). “Web portal front end” sends GET request to “web portal back end”.
  2. “Web portal back end” responds with a page that redirects the user’s web browser to External Authorization Server (this runs in Okta)
  3. User authenticates & authorizes with EAS
  4. EAS responds with an authorization code and redirects back to “web portal back end”
  5. “web portal back end” calls IdP (Okta) to convert authorization code to access token (JWT). “Web portal back end” puts JWT into Tableau viz URL.
  6. The browser attempts to load the Tableau viz iframe, sending a GET request to Tableau Server. Tableau Server validates the JWT in the URL with the signature/shared secret.
  7. After successfully validating the JWT, Tableau responds with the viz

Demo of the finished solution:

Let’s create our own OKTA EAS and Demo App:

a) Create an EAS in Okta that can generate JWT access tokens in the format expected by Tableau Server

Let’s first create an Okta EAS (External Authorization Server), with the appropriate JWT scopes required by Tableau Server:

b) Configure your Tableau Server with details from your Okta EAS

b.1) As a pre-requisite for EAS Auth to work properly, Tableau Server must be configured to run with SSL enabled. You may even use a self-signed certificate for testing purposes.

tsm configuration set -k vizportal.oauth.external_authorization.enabled -v truetsm configuration set -k vizportal.oauth.external_authorization_server.issuer -v "<issuer_uri_of_EAS>"tsm restart

c) Register your “Web portal back end” as a new Web Application in Okta

Let’s create a new integration for our “Web portal back end” in Okta (i.e. my modified version sample okta quickstart app):

  1. In the Dashboard, click on “SSO APPS” → “Create App Integration”
  2. Choose “Sign-in method”:OIDC and “Application type”: Web Application
  3. Give it a name to this new app and select “Grant Type”: Authorization Code
  4. “Sign-in redirect URIs”: http://localhost:8080/authorization-code/callback (this is where to redirect the browser back, after a successful user authentication against Okta).
  5. “Sign-out redirect URIs”: http://localhost:8080
  6. “Assignments” : Allow everyone in your organization to access (just for testing, you can also allow just some users here)
  7. Take a note of the Client ID and Client Secret (you’ll use it later when configuring the web app you have cloned from github).

d) If you wish to test it with my sample app, clone my git repo and configure it to your parameters

d.1) To run this application, as a pre-requisite you need to have Node JS and git installed on your machine. Then go ahead and clone the repo:

git clone https://github.com/alexeski/tableau_embed_okta_eas.git
npm install
npm run okta-hosted-login-server

Troubleshooting Tips:

You’ll find all EAS-related error messages can be found in the vizportal logs, under file name vizportal-nodeN-N.log under these directories:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store