Authentication for Embedding Tableau (Trusted Tickets)

Use case: A software company wants to embed analytics in their app. Their customers log into their application directly.

Ideally, these customers are then also automatically signed in to see Tableau content. Authentication refers to the process of logging in to any application. In our case, we want the user to believe they are logging in to a single application, whereas in reality we'll be serving them content from our web application and Tableau Server.

There are generally two methods which can be used in this scenario:

Single Sign-On

This setup relies on using the same Identity Provider (IdP) or Single Sign-On solution for both the application and Tableau. Because authentication is delegated to this IdP by both the app and Tableau, logging in once suffices, as either application relies on the IdP.

Single Sign On with Tableau
Trusted Authentication

Alternatively, Tableau Server can delegate the authentication process to the application when it is embedded. This method is called Trusted Authentication because we tell Tableau to trust the web application and the fact that it will be doing the work related to authentication.

Trusted Authentication with Tableau

The method demonstrated on this page is the one of Trusted Authentication. The configuration on Tableau Server needed for Trusted Authentication has already been taken care of.

1. Sign in to the Application

Before even working on implementing Trusted Authentication, we'll need our user to be logged in to our web application itself. Tableau Administrators might usually not be involved in this step, but in the context of the demonstration here, we're letting you log in after you have created your user in the previous step.

Complete and submit the form on the right. This will log you in to our web application (but not yet to Tableau).

Login Form

Sign in with the account you've created in the previous step, or use the demo credentials below:

  • Username: demo
  • Password: demo
Hello, . You are already authenticated! You can either log out and start over, or just continue with the steps below.

2. Obtain the Trusted Ticket for the user

It is the responsibility of the web application to now authenticate the user with Tableau Server, by identifying it and requesting a Trusted Ticket. The process consists of a simple POST request specifying some context, which Tableau Server will respond to with a ticket if the request is valid, the user licensed, etc.

If the request is valid, Tableau Server will respond with a ticket in a format similar to 9D1ObyqDQmSIOyQpKdy4Sw==:dg62gCsSE0QRArXNTOp6mlJ5. Each part is a 128 bit string that is base64-encoded before it is returned to the client. The first part is a universally unique ID (UUID v4), the second part is a 24-character secure random string. If any of the requirements are not met or the request is invalid, the value of the response will be -1, an invalid trusted ticket.

All of this process assumes that Tableau Server has initially been configured for Trusted Authentication.

Request Trusted Ticket


  "username": "",
  "target_site":  "BiztoryEmbeddingGallery"
Trusted Ticket Response

If you're logged in, you can now click "Send to Tableau Server!" to launch the request for a Trusted Ticket.


3. Redeem the Trusted Ticket

The final step that consists of redeeming (i.e. using) the Trusted Ticket to display the view, can be further broken down in 3 sub-steps.

a. Web server passes URL to browser

The first thing that happens after the above, is that our web application server will pass the Trusted Ticket to the browser. We've been sneaky and did this already.

b. Browser requests view from Tableau Server

Using the Trusted Ticket it received, the browser will request the specified view with Tableau Server. As soon as you press the button above ("Redeem Trusted Ticket"), the final two steps (b and c) will be fired. The URL that will then be shown here was generated client-side with the Trusted Ticket obtained just before.

Redeem the Trusted Ticket with the button above.
c. Tableau Server redeems the ticket

Finally, Tableau Server redeems the ticket, creates a session, logs the user in, removes the ticket from the URL, and then sends the final URL for the embedded view to the client. The session allows the user to access any of the views that the user would have if they logged onto the server. Open your browser's Dev Tools on the Network tab if you want to see that interaction when you push the button.

In our case, the viz that is displayed on the left was "retrieved" with a Trusted Ticket. It lists the session on our Tableau Server, with the ones in light blue reflecting the ones that were created with Trusted Tickets.

Conclusions and Options for Authentication?

Probably not as relevant as it is for other topics.