Tableau Server OpenID SSO integration with Azure AD B2C for seamless iframe authentication

  • Configure Azure AD B2C as an Identity Provider (IdP) for Tableau, by leveraging OIDC auth protocol. (Note: if you wish to use SAML instead, have a look at this excellent post by Andrija)
  • Enable seamless iframe SSO embedding (NB: Azure has been known to block any sort of in-frame authentication flows, but now with just a couple of lines of code you can define a custom CSP policy in B2C that allows for such for your trusted domains. This new feature was still in public preview at the time of this writing).
  • Learn the tools of the trade on how troubleshoot integration issues between Tableau and OIDC IdPs

Demo of the finished solution

A super simple SPA application that authenticates the user against Azure AD B2c using OpenID. Once the user is authenticated in the portal, the Tableau Authentication happens transparently within the iframe (SSO):

Pre-requisites:

  1. Tableau Server installed and running on HTTPS. You can even use a self-signed SSL certificate (check my other post if you need help to create it). Take note of your <your-tableau-server-hostname> (e.g. https://tableau.mycompany.com)
  2. Admin access to both Tableau Server GUI and its VM/container
  3. Tableau Log Viewer installed (for troubleshooting config issues)
  4. Create an Azure AD B2C tenant that is linked to your Azure subscription and take note of the tenant-name

Azure AD B2C config

1. Create a consumer user in B2C for testing the auth flows. I’m using email as a claim to match the Azure user with Tableau’s username, but you may use something else.

<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" />
<UserJourneyBehaviors><JourneyFraming Enabled="true" Sources="https://<your-tenant-name>.b2clogin.com https://<your-tableau-server-hostname>" /></UserJourneyBehaviors>
a. TrustFrameworkBase.xmlb. TrustFrameworkLocalization.xmlc. TrustFrameworkExtensions.xmld. SignUpOrSignin.xmle. ProfileEdit.xmlf. PasswordReset.xml

Tableau Server OpenID config:

18. If you haven’t yet done so, create the same test user as in Azure B2C (i.e. in our case, the Tableau username must be the B2C user’s email, as this is our claim):

tsm authentication openid configure --client-id <B2c-Tableau-App-ClientID> --client-secret <B2c-Tableau-App-Secret> --config-url <B2c-OpenID-UrL> --return-url <Tableau-Return-UrL>
<B2c-Tableau-App-ClientID> = see step 2<B2c-Tableau-App-Secret> = see step 3<B2c-OpenID-UrL> =  https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<b2c-signin-policyname>/v2.0/.well-known/openid-configuration<b2c-signin-policyname> = B2C_1A_SIGNUP_SIGNIN<Tableau-Return-UrL> = TableauServerHostName, e.g. https://tableau-example.com)
tsm configuration set –k wgserver.openid.iframed_idp.enabled -v true
tsm configuration set -k vizportal.openid.client_authentication -v client_secret_post
tsm authentication openid configure --custom-scope-name “openid <B2c-Tableau-App-ClientID>”
tsm authentication openid enable
tsm pending-changes apply
SPA app and Tableau Embedded with iframe SSO auth. Both leveraging the same OpenID IdP (Azure AD B2c)

Troubleshooting

25. If you need to do some troubleshooting, enable enhanced logging with these two commands (the latter of these flags were not documented, at the time of writing this blog):

tsm configuration set -k vizportal.log.level -v debugtsm configuration set -k vizportal.openid.full_server_request_logging_enabled -v true
  • Open the following file: C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizportal\vizportal_node1–0.log
  • Set to Live
  • Set Highligh Only Mode, on string: openid

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store