Providing users access to data and tools that enable them to easily find answers to their questions is/should be the primary mission of BI teams. Some of these interfaces are more exploratory than explanatory, meaning you're giving the user a tool they can use to find what their looking for rather than prescribing it to them in advance. Tableau Server is great at doing this, especially in version 8 with their new Web-authoring capability. The missing link I see today is Tableau Server’s lack of security protocol integration options.
First some context…
Tableau Server natively supports integrating with Active Directory for user authentication and some automated user management features (eg. Group Syncing) however it offers little in terms of integrating with other implementations of LDAP (Lightweight Directory Access Protocol) So if you're like me, and your company does use LDAP but does not use Microsoft's version of it, this post is for you.
Below is my recipe for integrating Tableau Server with Open LDAP. This is a PHP based application that uses Tableau Server's trusted tickets to perform a single-sign-on like experience for your users. And I’m guessing you’re like me and already have far too many different logins to keep track of and don’t want to continue adding to that mess.
Next, what it does…
This app was designed to solve two things:
- Prevent users from needing to create yet another account for an app.
- Eliminate the need for a Tableau Admin to add users to the server.
What you’ll need:
- Linux Server running PHP 5.3+ (pear and pecl_http extensions installed), Apache, Java 1.7+
- LDAP Server hostname
- LDAP Bind User account and password
- Tableau Server Admin user account and password
What you might also want:
- An LDAP group to check membership of before allowing users to create accounts.
- Create a new virtual host in your Apache instance for your app to live including a new directory. Mine is called ‘tableau-portal’.
- Place the contents in the ‘src’ folder of this repo into that virtual host directory: github.com/mozilla-metrics/tableau-portal.git
- Copy/Save-as “config-local.php-dist” as “config-local.php”
- Edit the entries in config-local.php with your own values (LDAP Host, Tableau Admin Account, etc.)
- Set your Tableau Server up for Trusted Tickets (link) by adding the IP of your portal to the trusted server list from the Tableau Server command prompt type: set wgserver.trusted_hosts “127.0.0.1, <your server IP address>”
- Enable users to have “unrestricted access” using their ticket. This is needed so they are not locked in to a single view. Run the following command from your Tableau Server command prompt: set wgserver.unrestricted_tickets true
- Restart your Tableau Server: tabadmin restart
- Open FireFox and browse to your web app. (You should be prompted to authenticate with your Open LDAP server)
The use case…
At this point if you’ve authenticated with your LDAP server you are probably seeing a page that asks you if you’d like to create an account. That is, if you have the ADD_TABLEAU_USERS config item set to TRUE. It is probably a good time to understand the workflow logic of what this app does. Here it is:
Here are the use cases I recommend you test for before releasing this to your enterprise. This by no means is an exhaustive list of tests.
- Users whom LDAP and Tableau Server username match can login automatically via this portal application.
- Users whom do not already have a Tableau Server account can create one with a single click (if enabled).
- Users whom are not in the approved LDAP group cannot create accounts (if enabled).
I am thrilled to share this code with you and encourage you to explore it and contribute in classic open-source fashion. I do not offer any insurance or protection that this app is bulletproof nor will it solve all of your problems. It is simply an application I made for my purposes and in the spirit of Mozilla and the open-source community I wanted to share it with you all in hopes you may find it useful and contribute to the project as well.
This would not have been possible without the following contributors, thanks a ton!
Chris Kaukis @ InterWorks – Hacking the login page to Tableau Server
Bob Wohl @ Exact Pixel – JQuery functions in the portal