Streamline Authentication with Tableau’s Connected Apps
With Tableau’s recent release of Connected Apps, securely embedding visualizations in your customer portal or third-party applications just became much simpler — and there are few features more important to our applications than security. This is likely the first of many features we’ll see supporting leaders and developers who are creating applications that expand Tableau’s capabilities.
In this post I’ll introduce the technology Tableau is leveraging in Connected Apps in order to streamline authentication. Shedding light on the technology behind Connected Apps will help your teams properly deploy this solution, improve data security and develop more productively.
What problem do Connected Apps solve?
Whenever you open a web page that requires you to sign in before allowing you to access the content, you are going through an authentication process. For Tableau, before Connected Apps was released, a user’s identity needed to be passed along to Tableau via an external authentication technology such as Kerberos, SSPI, SAML, or OpenID. Tableau created trust with these technologies through what they called Trusted Tickets. If you hadn’t set up Trusted Tickets, the component of your application embedding Tableau will prompt the user to Sign In to Tableau.
This is a poor user experience.
Authentication is simply what happens when our identity is verified.
How do Connected Apps authenticate?
To make this heady content about application security more accessible, let’s use a speakeasy as an analogy.
Like the users visiting our application, patrons of a speakeasy have content they intend to consume. However, this content is protected.
For the sake of this example, let’s place the entrance to the speakeasy in the back of a club.
Like for any secured application, at a speakeasy, you can’t even enter the club before you prove your identity and that you’re of age to drink. Presenting your ID at the club is very similar to what takes place when visitors of our application provide their username and password to sign in.
With Tableau’s Connected Apps this initial authentication step is carried out however you see fit for your application. You can think of it as the first line of defense. Anyone who makes it past the bouncer or login screen will have a chance to enter the speakeasy or access the Tableau Viz respectively.
Now, we need to make one modification to this scenario — those who successfully enter the club get a secret that when presented to the bouncer of the speakeasy authenticates their access to additional resources.
So, once past the bouncer, we make our way to the entrance of the speakeasy. Once there we need to provide our secret. At a speakeasy, you will need to enter a certain code on a payphone, perform the special handshake, present a red rose, or whatever other flavor of secret the speakeasy requests for the night.
See, speakeasies don’t have the luxury of holding onto a long list of everyone who should be granted special access. The best they can do is share a secret with you and verify your secret prior to permitting you to enter.
How do JWTs streamline authentication?
While requiring your authentication mechanism — or bouncer in this scenario — to keep a list of who is allowed to enter versus requiring those attempting to enter to know a secret might seem insignificant — the truth, it’s far from it.
Let’s look at two scenarios to better understand the significance.
In the first scenario, the list of who’s allowed to enter is ten million names long. In order to securely authenticate, you need to both store this large list somewhere and perform the look-up for everyone trying to get through the door. This is going to require storage resources, time, and computing power.
The second scenario is one where you have created multiple speakeasy bouncers — or authentication servers. In this scenario, you need to duplicate the long list and make sure all of the lists are in sync. This is even more complex than the first.
By simply sharing the secret with everyone who enters the club the speakeasy doesn’t need to keep any lists. All the speakeasy bouncer needs to do is remember the valid secret and verify that those trying to get in do in fact possess the right secret. Therefore, it is this secret that is used to create trust between the patron and the speakeasy bouncer.
This agreement is essentially how the signature of a JSON Web Token (JWT) verifies that you are who you say you are in Connected Apps.
What is a JWT?
See, when we build our Connected App we’ll create a JWT. And the JWT includes a signature or a special key. By signing the JWT with this secret, Tableau will be able to verify that you are a permitted user. This is possible because the key is obtained from Tableau and only from Tableau. Therefore, if you are able to present the secret, Tableau can authenticate your access.
In the most basic terms, JWTs follow an open, industry-standard allowing us to pass encoded data between our web applications and servers.
JWTs are generally made up of three parts:
The header contains metadata about the JWT, such as the algorithm used to encode the JWT and the token type.
The payload contains the key information being transmitted. This is where we add data identifying the Connected App, our Tableau User Name, and some additional information.
The signature is the key ingredient used to build that trust. Our application will sign the JWT with our Connected App secret value and Tableau will attempt to verify our JWT with the same Connected App secret. If the JWT can be successfully verified, Tableau will render our Viz component.
By leveraging JWTs in Connected Apps we are able to:
- Simplify authentication without sacrificing security
- More easily scale our applications
Coming up next
In our next post on the topic of Connected Apps, we will walk you through the process of creating your own tokens.
Since there is a bit of setup involved, we decided to make a post focused solely on this process. Now that you understand how the technology works, we will implement it with code.
So, stay tuned to learn how to create your first Connected App.
Robert Crocker is a data visualization engineer at Starschema. He helps data leaders and their teams get the most from Tableau by developing well-designed dashboards, extensions, and embedded solutions. After focusing on business intelligence and data visualization for most of his career, he has recently expanded into software engineering. Connect with Robert on LinkedIn.
REACH OUT TO STARSCHEMA HERE:
READ MORE STORIES FROM STARSCHEMA:
New Dashboard Collaboration and Security Features Added to Elements for Tableau
Elements now supports customizable user tagging and notifications, field-level access control for annotations and Okta…
Three Signs Your BI Dashboard Development Process Needs Help — and What to Do about It
Learn how common BI dashboard development issues result from mistakes made during planning and find out how what you…