How to implement Tableau Trusted Authentication?

Question

1) Users are prompted to login to Tableau when viewing an embedded dashboard within a web application.

2) If they close their browser, start a different browser session, or let the Tableau cookie expire, they will be prompted to login again.

3) Throughout the day, you could potentially be prompted to login multiple times when trying to view dashboards. This quickly becomes annoying and tiresome.

Tableau offers a solution called "Trusted Authentication" which bypasses the manual login process. After a week of debugging and troubleshooting, I was able to accomplish this. I could not find any solutions on Stackoverflow, so I wanted to share my knowledge on how I accomplished this in hope to help others.

Answer 1

Link to Tableau's How Trusted Authentication Works

High Level View on how I implemented Trusted Authentication

1) Tableau server must have an entry to the wgserver.trusted_hosts file with the hostname of your web application for any of this to work.

2) Three important parameters are passed:

username          212456449
server            http://[server]
target_site       YourTargetSiteName

3) If the HTTP POST request is valid and the user has the correct Tableau license, Tableau creates a 48 unique character ticket that is only valid for 3 minutes.

4) I programmatically add the 48 unique character ticket into the embedded JavaScript right before Tableau redeems it.

How the code works in my web applicatin

I created a TrustedAuth class that contains two methods: requestTicket() and addTicket(). requestTicket() is an Asynchronous method that takes the three required parameters (sso, server, site). The HTTP POST is fired off and awaits a response. If Tableau response is a -1 , HTTP handshake has failed or the user is invalid. If valid, response will be a 48-character encrypted string.

addTicket() is a Synchronous method that takes two parameters (ticket, reportLink). This method takes the 48-character encrypted ticket and appends it to the embedded JavaScript (reportLink).

The web application sends a HTTP GET request to Tableau that includes the embedded JavaScript (reportLink) with the encrypted ticket. Tableau Server redeems the ticket, creates a session, logs the user in, no login prompt dispalyed

TrustedAuth Class

public class TrustedAuth
{
    public async Task<string> requestTicket(int sso, string server, string site)
    {
        try
        {
            //Assign parameters and values
            var values = new List<KeyValuePair<string, string>>();
            values.Add(new KeyValuePair<string, string>("username", sso.ToString()));
            values.Add(new KeyValuePair<string, string>("target_site", site));

            //Web Application is HTTP and Tableau is HTTPS, there are certification issues. I need to fake the certs out and return them as true.
            System.Net.ServicePointManager.ServerCertificateValidationCallback = (senderX, certificate, chain, sslPolicyErrors) => { return true; };

            //Instantiate HttpClient class
            var client = new HttpClient();

            //Encode Content
            var req = new HttpRequestMessage(HttpMethod.Post, server) { Content = new FormUrlEncodedContent(values) };

            //POST request
            var res = await client.SendAsync(req);

            //Get response value
            var responseString = await res.Content.ReadAsStringAsync();

            return responseString;

        }
        catch (Exception e)
        {
            System.IO.File.AppendAllText(@"c:\inetpub\wwwroot\WebApplication\TrustedAuthError.txt", ":::ERROR::: " + System.DateTime.Today.ToString() + ":::" + e.ToString() + Environment.NewLine);
            //Add Log4Net logging
        }

        return "-1";

    }

    public string addTicket(string ticket, string reportLink)
    {
        //Add ticket parameter with ticket value. I'm using </object> as my keyword to find and replace
        string addedTicket = reportLink.Replace("</object>", "<param name='ticket' value='" + ticket + "' /></object>");

        return addedTicket;
    }
}

Dashboard Controller

public async Task<ActionResult> Dashboard(int Report_Num)
    {
     //db will be your database model where your Report_Link is stored
     Report_Completion_Status_NEW report_Completion_Status = db.Report_Completion_Status_NEW.Find(Report_Num);

     if (report_Completion_Status == null)
        {
            return HttpNotFound();
        }

        var ticket = "";
        //Get Trusted Tableau Authentication Ticket
        try
        {
            //For example purposes, I'm hard-coding the Tableau Server Name and Site Name for the example _trustedAuth.requestTicket method. In my actual code, I'm storing these in my web.config. 
            ticket = await _trustedAuth.requestTicket(b.getSSO(User.Identity.Name), "https://ProdTableauUrlGoesHere.com/trusted", "YourTargetSiteNameHere");
        }
        catch
        {
            ticket = "-1";
        }

        //Only add trusted Tableau Authentication ticket if it's valid, else kick user to default Report_Link which will make them login manually. 
        //You get a nasty error message if you pass in a '-1'
        if (!ticket.Equals("-1"))
        {
            ViewBag.Link = _trustedAuth.addTicket(ticket.ToString(), report_Completion_Status.Report_Link);
        }
        else
        {
            ViewBag.Link = report_Completion_Status.Report_Link;
        }

        var model = await this.GetFullAndPartialViewModel(Report_Num);

        return this.View(model);
    }

New Embedded JavaScript (reportLink) with ticket parameter inserted

Dashboard View

@model WebReportingToolDAL.Models.ViewModels.ReportCategoryListModel
@{
    ViewBag.Title = "Dashboard";
    Layout = "~/Views/Shared/_Layout.cshtml";
}

 <body>
    @Html.Raw(ViewBag.Link)
</body>

If all works, you should no longer see the Tableau Login Page.

Answer 2

This is how I did

    [NonAction]
    private static async Task<String> GetTableauStringAsync(string userForTableau)
    {

        string postData = "username="+ userForTableau;
        byte[] data = System.Text.Encoding.ASCII.GetBytes(postData);
        var myTicket = "";

        try
        {

            HttpWebRequest req = (HttpWebRequest)WebRequest.Create("https://myTableauServer.com/trusted");

            req.Method = "POST";
            req.ContentType = "application/x-www-form-urlencoded";
            req.ContentLength = postData.Length;

            Stream outStream = req.GetRequestStream();
            outStream.Write(data, 0, data.Length);
            outStream.Close();

            HttpWebResponse res = (HttpWebResponse)req.GetResponse();
            StreamReader inStream = new StreamReader(res.GetResponseStream());
            string resString = inStream.ReadToEnd();
            inStream.Close();

            myTicket = resString;
        }
        catch (Exception ex)
        {
            string exceptionMessage = ex.Message;
            string innerException = ex.InnerException.Message;

            myTicket = "ERROR";
        }

        return myTicket;
    }

Controller

    [HttpGet]
    public async Task<ActionResult> Index()
    {        
        string resultText = String.Empty;

        var task = GetTableauStringAsync(subjectName);
        var result = await task;
        resultText = result;

        ViewBag.TableauTicket = resultText ?? " _";
        return View();
    }

Java Script

@section Scripts {
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
<script type="text/javascript">

    $(document).ready(function () {
            var myTicket = $("#lblTableauTicket").text();
            var patientBKVal = $("#lblPatient_BK").text();
            var destination = "https://myTableauServer.com/trusted/" + myTicket + "/views/MyScorecard_15804618842350/MyScorecard?Patient_BK=" + patientBKVal + "&iframeSizedToWindow=true&:embed=y&:showAppBanner=false&:display_count=no&:showVizHome=no&:origin=viz_share_link";
            window.location.href = destination;
    });

</script>

}