The Portals for Tableau New Features series is designed to keep users up to date with all the latest features being added to InterWorks' embedded analytics solution, Portals for Tableau.
Please note that Portals for Tableau are now officially known as Curator by InterWorks. You can learn more at the official Curator website.
A Dream Within a Dream
Do you ever wake up from a dream only to realize you’re still dreaming? Even though Portals for Tableau is your dream solution, you don’t have to slap yourself awake to take advantage of its new feature: token authentication.
Just like Portals for Tableau can embed your Tableau visualizations, your enterprise portal can embed Portals for Tableau in an Inception-style layering. While this has always been possible when using SAML as the single sign-on (SSO) platform, some enterprise portals don’t support SAML. Token authentication allows the same SSO behavior with any other arbitrary authentication solution your enterprise portal has.
How Token Authentication Works
Token authentication takes care of SSO by allowing your enterprise portal to authenticate users through Portals for Tableau’s REST API, similar to how Portals for Tableau can authenticate users on Tableau Server by using Trusted Ticket Authentication. Your enterprise portal makes a request to the API to authenticate a specific user and receives a short-lived, one-time-use token. Then, your enterprise portal adds that token to the Portals for Tableau link.
When the user views the link, Portals for Tableau automatically logs them in, just like it would have done if they provided their username and password. There’s even an option to automatically provision the user within Portals for Tableau and Tableau Server if they don’t already exist.
How to Implement with Portals for Tableau
Here are the technical details on how to implement SSO using token authentication between your enterprise portal and Portals for Tableau.
- Enterprise portal makes a GET request to https://portalsfortableau.yourcompany.com/api/v1/userMgmt/createAuthToken with the following query string variables:
- apikey [required]: A valid API key from (Portals for Tableau’s Backend > Settings > API Keys).
- username [required]: The username of the account to log in.
- jit_provision [optional]: A flag to indicate whether to create the user if they don’t already exist in a just-in-time (JIT) fashion.
- password [optional]: The password to set for the user when JIT provisioning. The default is a random password.
- email [optional]: The email address to set for the user when JIT provisioning. No default value is specified for this field.
- name [optional]: The full name to set for the user when JIT provisioning. The default is to set this to the username.
- site_role [optional]: The Tableau Server site role to set for the user when JIT provisioning. The default is Viewer.
- Portals for Tableau will respond to the API call with the token information in the following JSON format:
{ "result": "success", "data": { "frontend_user_id": 123, "token": "VVVVVVVVV-WWWW-XXXX-YYYY-ZZZZZZZZZZZZZ", "expires_at": { "date": "2019-12-31 11:59:00", "timezone_type": 3, "timezone": "UTC" } } } - Enterprise portal adds the token value to the Portals for Tableau link like so:
https://portalsfortableau.yourcompany.com/?auth_token=VVVVVVVVV-WWWW-XXXX-YYYY-ZZZZZZZZZZZZZ - When the user’s browser requests that link, Portals for Tableau will log them in as long as the token hasn’t already expired.
- Subsequent links within Portals for Tableau do not need authentication tokens as long as their session is valid.
