Part 5 - Configuring Web Tier

The web tier of the reference architecture should include the following components:

  • A web-facing application load balancer that accepts HTTPS requests from Tableau clients and communicates with the reverse proxy servers.
  • Reverse proxy: 
    • We recommend deploying the Tableau Server Independent Gateway.
    • We recommend a minimum of two proxy servers for redundancy and to handle client load.
    • Receives HTTPS traffic from load balancer.
    • Supports sticky session to Tableau host.
    • Configure proxy for round robin load balancing to each Tableau Server running the Gateway process.
    • Handles authentication requests from external IdP.
  • Forward proxy: Tableau Server requires access to the internet for licensing and map functionality. You must configure forward proxy safelists for Tableau service URLs. See Communicating with the Internet (Linux(Link opens in a new window)).
  • All client-related traffic may be encrypted over HTTPS:
    • Client to application load balancer
    • Application load balancer to reverse proxy servers
    • Proxy server to Tableau Server
    • Authentication handler running on reverse proxy to IdP
    • Tableau Server to IdP

Tableau Server Independent Gateway

Tableau Server version 2022.1 introduced the Tableau Server Independent Gateway. The Independent Gateway is a standalone instance of the Tableau Gateway process that serves as a Tableau-aware reverse proxy.

Independent Gateway supports simple round robin load balancing to the backend Tableau Servers. However, Independent Gateway is not intended to serve as the enterprise application load balancer. We recommend running Independent Gateway behind an enterprise-class application load balancer.

The Independent Gateway requires an Advanced Management license.

Authentication and authorization

The default reference architecture specifies installing Tableau Server with local authentication configured. In this model, clients must connect to Tableau Server to be authenticated by the native Tableau Server local authentication process. We do not recommend using this authentication method in the reference architecture because the scenario requires that unauthenticated clients communicate into the application tier, which is a security risk.

Instead, we recommend configuring an enterprise grade external identity provider coupled with an AuthN module to pre-authenticate all traffic to the application tier. When configured with an external IdP, the native Tableau Server local authentication process is not used. Tableau Server authorizes access to resources in the deployment after the IdP has authenticated the users.

Pre-authentication with an AuthN module

In the example documented in this Guide, SAML SSO is configured, but the pre-authentication process can be configured with most external identity providers and an AuthN module.

In the reference architecture the reverse proxy is configured to create a client authentication session with the IdP before proxying those request to Tableau Server. We refer to this process as the pre-auth phase. The reverse proxy will only redirect authenticated client sessions to Tableau Server. Tableau Server will then create a session, verify authentication of the session with the IdP, and then return the client request.

The following diagram shows the step-by-step detail of the pre-auth and authentication process with an AuthN module configured. The reverse proxy may be a generic 3rd party solution or the Tableau Server Independent Gateway:

The steps shown in the above diagram. Step 1: The Tableau client requests a resource on Tableau Server. Step 2: The reverse proxy creates an authentication request with a URL redirection to the identity provider. Step 3: The identity provider sends a login form to the the user. Step 4: The user is prompted and enters credentials. Step 5: The identity provider verifies credentials submitted by the user. Step 6: The identity provider repsonds to the client with the embedded SAML assertion that posts to the reverse proxy service provider. Step 7: The service provider on the proxy validates the assertion, creates a session, and then redirects to the service provider on Tableau Server. Step 8: The service provider on Tableau Server creates the authentication request to the identity provider. Step 9: The identity provider validates the current session. Step 10: The servive provider on Tableau Server validates and creates its own session and sends the response to the user. Step 11: The user connects to Tableau Server for authorization to the specified resource.

Configuration overview

This is an overview of the process to configure the web tier. Verify connectivity after each step:

  1. Configure two reverse proxies to provide HTTP access to Tableau Server.
  2. Configure load balancing logic with sticky sessions on proxy servers to connect to each Tableau Server instance running the Gateway process.
  3. Configure application load balancing with sticky sessions at the internet gateway to forward requests to the reverse proxy servers.
  4. Configure authentication with an external IdP. You can configure SSO or SAML by installing an authentication handler on the reverse proxy servers. The AuthN module manages the authentication handshake between the external IdP and your Tableau deployment. Tableau will also act as an IdP service provider and authenticate users with the IdP.
  5. To authenticate with Tableau Desktop in this deployment, your clients must be running Tableau Desktop 2021.2.1 or later.

Example web tier configuration with Tableau Server Independent Gateway

The remainder of this topic provides an end-to-end procedure that describes how to implement web tier in the example AWS reference architecture using Tableau Server Independent Gateway. For an example configuration using Apache as reverse proxy, see Appendix - Web Tier with Apache Example Deployment.

The example configuration is composed of the following components:

  • AWS application load balancer
  • Tableau Server Independent Gateway
  • Mellon authentication module
  • Okta IdP
  • SAML authentication

Note: The example web tier configuration presented in this section includes detailed procedures for deploying third party software and services. We've made a best effort to verify and document the procedures to enable the web tier scenario. However, the third-party software may change or your scenario may differ from the reference architecture described here. Please refer to third-party documentation for authoritative configuration details and support.

The Linux examples throughout this section show commands for RHEL-like distributions. Specifically the commands here have been developed with the Amazon Linux 2 distribution. If you are running the Ubuntu distribution, edit the commands accordingly.

Deploying the web tier in this example follows a stepwise configuration and verification procedure. The core web tier configuration consists of the following steps to enable HTTP between Tableau and the internet. Independent Gateway is run and configured for reverse proxy/load balancing behind the AWS application load balancer:

  1. Prepare environment
  2. Install Independent Gateway
  3. Configure Independent Gateway Server
  4. Configure AWS application load balancer

After the web tier is set up and connectivity with Tableau is verified, configure authentication with an external provider.

Prepare Environment

Complete the following tasks before you deploy Independent Gateway.

  1. AWS Security group changes. Configure the Public security group to allow inbound Independent Gateway housekeeping traffic (TCP 21319) from the Private security group.

  2. Install version 22.1.1 (or later) on four node Tableau Server cluster as documented at Part 4 - Installing and Configuring Tableau Server.

  3. Configure the two proxy EC2 instances in the Public security group as documented at Configure host computers.

Install Independent Gateway

Tableau Server Independent Gateway requires an Advanced Management license.

Deploying Tableau Server Independent Gateway consists of installing and running the .rpm package and then configuring initial state. The procedure included with this Guide provides prescriptive guidance for deploying into the reference architecture.

If your deployment differs from the reference architecture, consult the core Tableau Server documentation, Install Tableau Server with Independent Gateway (Linux(Link opens in a new window)).

Important: Configuring Independent Gateway can be an error prone process. It is very difficult to troubleshoot configuration issues across two instances of Independent Gateway servers. For this reason, we recommend configuring one Independent Gateway server at a time. After you configure the first server and verify functionality, you should then configure the second Independent Gateway server.

Although you will configure each Independent Gateway server separately, run this installation procedure on both EC2 instances that you installed into the Public security group: 

  1. Run update to apply latest fixes to the Linux OS:

    sudo yum update

  2. If Apache is installed, remove it:

     sudo yum remove httpd
  3. Copy the version 2022.1.1 (or later) Independent Gateway installation package from Tableau Downloads page(Link opens in a new window) to the host computer that will be running Tableau Server.

    For example, on a computer running Linux RHEL-like operating system, run

    wget https://downloads.tableau.com/esdalt/2022<version>/tableau-server-tsig-<version>.x86_64.rpm

  4. Run the installation program. For example, on a Linux RHEL-like operating system, run:

    sudo yum install <tableau-tsig-version>.x86_64.rpm

  5. Change to the /opt/tableau/tableau_tsig/packages/scripts.<version_code>/ directory and run the initialize-tsig script located there. In addition to the --accepteula flag, you must include the IP range of the subnets where the Tableau Server deployment is running. Use the -c option to specify the IP range. The example below shows the command with the example AWS subnets specified:

    sudo ./initialize-tsig --accepteula -c "ip 10.0.30.0/24 10.0.31.0/24"

  6. After initialization is complete, open the tsighk-auth.conf file and copy the authentication secret in the file. You will need to submit this code for each Independent Gateway instance as part of the back-end Tableau Server configuration:

    sudo less /var/opt/tableau/tableau_tsig/config/tsighk-auth.conf

  7. After you have run the previous steps on the both instances of the Independent Gateway, prepare the tsig.json configuration file. The configuration file consists of an "independentGateways" array. The array holds configuration objects that each define connection details for an Independent Gateway instance.

    Copy the following the JSON and customize it according to your deployment environment. The example here shows a file for a sample AWS reference architecture.

    The example JSON file below only includes connection information for one Independent Gateway. Later in the process, you will include the connection information for the second Independent Gateway server.

    Save the file as tsig.json for the procedures that follow.

    {
    "independentGateways": [
     {
     	"id": "ip-10-0-1-169.ec2.internal",
     	"host": "ip-10-0-1-169.ec2.internal",
     	"port": "21319",
     	"protocol" : "http",
     	"authsecret": "13660-27118-29070-25482-9518-22453"
     	}]
     }

    • "id" - The private DNS name of the AWS EC2 instance running Independent Gateway.
    • "host" - same as "id".
    • "port" - The housekeeping port, by default, "21319".
    • "protocol" - The protocol for client traffic. Leave this as http for the initial configuration.
    • "authsecret" - The secret that you copied in the previous step.

Independent Gateway: direct vs relay connection

Before proceeding you must decide which connection scheme to configure in your deployment: direct or relay connection. Each option is briefly described here, along with relevant decision data points.

Relay connection: You can configure Independent Gateway to relay client communication over a single port to the gateway process on Tableau Server. We refer to this as a relay connection:

  • The relay process results in an extra hop from Independent Gateway to the backend Tableau Server Gateway process. The extra hop degrades performance as compared to the direct connection configuration.
  • TLS is supported for relay mode. All communication in relay mode is restricted to a single protocol (HTTP or HTTPS) and can therefore be encrypted and authenticated with TLS.

Direct connection: The Independent Gateway can communicate directly with the back-end Tableau Server processes over multiple ports. We refer to this communication as direct connection:

  • Because connection is direct to backend Tableau Server, client performance is markedly improved as compared to relay connection option.
  • Requires opening 16+ ports from Public to Private subnets for direct process communication from Independent Gateway to Tableau Server computers.
  • TLS is not yet supported on the processes from Independent Gateway to Tableau Server.

To run TLS between Tableau Server and Independent Gateway you must configure with a relay connection. The example scenarios in the EDG are configured with relay connection.

  1. Copy tsig.json to Node 1 of your Tableau Server deployment.

  2. On Node 1 run the following commands to enable Independent Gateway.

    tsm stop
    tsm configuration set -k gateway.tsig.proxy_tls_optional -v none
    tsm pending-changes apply
    tsm topology external-services gateway enable -c tsig.json
    tsm start

Since direct connection does not support TLS, we recommend configuring direct connection only if you are able to secure all network traffic by other means. To run TLS between Tableau Server and Independent Gateway you must configure with a relay connection. The example scenarios in the EDG are configured with relay connection.

If you are configuring Independent Gateway for direct connection to Tableau Server, you must enable the configuration to trigger communication. After Tableau Server communicates to the Independent Gateway, the protocol targets will be established. You must then retrieve the proxy_targets.csv from the Independent Gateway computer and open the corresponding ports from the Public to the Private security groups in AWS.

  1. Copy tsig.json to Node 1 of your Tableau Server deployment.

  2. On Node 1 run the following commands to enable Independent Gateway.

    tsm stop
    tsm topology external-services gateway enable -c tsig.json
    tsm start
  3. On Independent Gateway computer run the following command to view the ports that the Tableau Server cluster is using:

    less /var/opt/tableau/tableau_tsig/config/httpd/proxy_targets.csv
  4. Configure AWS security groups. Add the TCP ports listed in proxy_targets.csv to allow communication from the Public security group to the Private security group.

    We recommend automating port ingress configuration since the ports may change if the Tableau Server deployment changes. Adding nodes or reconfiguring processes on the Tableau Server deployment will trigger changes to the port access required by Independent Gateway.

Verification: Base topology configuration

You should be able to access the Tableau Server admin page by browsing to http://<gateway-public-IP-address>.

If the Tableau Server sign-in page does not load, or if Tableau Server doesn't start then follow these troubleshooting steps:

Network: 

  • Verify connectivity between Tableau deployment and Independent Gateway instance by running the following wget command from Tableau Server Node1: wget http://<internal IP address of Independent Gateway>:21319, for example:

     wget http://ip-10-0-1-38:21319

    If connection is refused or fails, then verify that the Public security group is configured to allow Independent Gateway housekeeping traffic (TCP 21319) from the Private security group.

    If security group is configured correctly, then verify you specified the correct IP addresses or IP ranges during the initialization of Independent Gateway. You can view and change this configuration in the environment.bash file located at /etc/opt/tableau/tableau_tsig/environment.bash. If you make a change to this file then restart the tsig-http service as described below.

On the Proxy 1 host:

  1. Overwrite the httpd.conf file with the Independent Gateway stub file:

    cp /var/opt/tableau/tableau_tsig/config/httpd.conf.stub /var/opt/tableau/tableau_tsig/config/httpd.conf
  2. Restart tsig-httpd as a first troubleshooting step:
    sudo su - tableau-tsig
    systemctl --user restart tsig-httpd
    exit

On Tableau Node 1

  • Double-check the tsig.json file. If you find errors, fix them, and then run tsm topology external-services gateway update -c tsig.json.
  • If running direct connection, verify the TCP ports listed in proxy_targets.csv are configured as ingress ports from Public to Private security groups.

Configure AWS application load balancer

Configure the load balancer as an HTTP listener. The procedure here describes how to add a load balancer in AWS.

Step 1: Create target group

A target group is an AWS configuration that defines the EC2 instances running your proxy servers. These are the targets for traffic from the LBS.

  1. EC2>Target groups > Create target group

  2. On Create page:

    • Enter a target group name, for example TG-internal-HTTP
    • Target type: Instances
    • Protocol: HTTP
    • Port: 80
    • VPC: Select your VPC
    • Under Health checks > Advanced health checks settings > Success codes, append the code list to read: 200,303.
    • Click Create
  3. Select the target group that you just created, and then click the Targets tab: 

    • Click Edit.
    • Select the EC2 instances (or single instance if you are configuring one at a time) that are running proxy application, and then click Add to registered.
    • Click Save.

Step 2: Launch load balancer wizard

  1. EC2> Load Balancers > Create Load Balancer

  2. On "Select load balancer type" page, create an Application Load Balancer.

Note: The UI that is displayed to configure load balancer is not consistent across AWS datacenters. The procedure below, "Wizard configuration," maps to the AWS configuration wizard that begins with Step 1 Configure Load Balancer

If your datacenter displays all configurations in a single page that includes a Create load balancer button at the bottom of the page, then follow the "Single page configuration" procedure below.

  1. Configure load balancer page:

    • Specify name
    • Scheme: internet-facing (default)
    • IP address type: ipv4 (default)
    • Listeners (Listeners and routing):
      1. Leave the default HTTP listener
      2. Click Add listener and add HTTPS:443
    • VPC: select the VPC where you've installed everything
    • Availability Zones:
      • Select the a and b for your datacenter regions
      • In each corresponding drop-down selector, select the Public subnet (where your proxy servers reside).
    • Click: Configure Security Settings
  2. Configure Security Settings page

    • Upload your public SSL certificate.
    • Click Next: Configure Security Groups.
  3. Configure Security Groups page:

    • Select the Public security group. If the Default security group is selected, then clear that selection.
    • Click Next: Configure Routing.
  4. Configure Routing page

    • Target group: Existing target group.
    • Name: Select target group that you created earlier
    • Click Next: Register Targets.
  5. Register Targets page

    • The two proxy server instances that you configured previously should be displayed.
    • Click Next: Review.
  6. Review page

    Click Create.

Basic configuration

  • Specify name
  • Scheme: internet-facing (default)
  • IP address type: ipv4 (default)

Network mapping

  • VPC: select the VPC where you've installed everything
  • Mappings:
    • Select the a and b (or comparable) Availability Zones for your datacenter regions
    • In each corresponding drop-down selector, select the Public subnet (where your proxy servers reside).

Security groups

  • Select the Public security group. If the Default security group is selected, then clear that selection.
  • Listeners and routing

    • Leave the default HTTP listener. For Default action, specify the Target Group that you previously set up.
    • Click Add listener and add HTTPS:443. For Default action, specify the Target Group that you previously set up.

    Secure listener settings

    • Upload your public SSL certificate.

    Click Create load balancer.

    Step 3: Enable stickiness

    1. After the load balancer is created, you must enable stickiness on the Target Group.

      • Open AWS Target Group page (EC2> Load Balancing> Target groups), select the target group instance that you just set up. On the Action menu, select Edit attributes.
      • On the Edit attributes page, select Stickiness, specify a duration of 1 day, and then Save changes.
    2. On load balancer, enable stickiness on the HTTP listener. Select the load balancer you just configured, and then click the Listeners tab:

      • For HTTP:80, click View/edit rules. On the resulting Rules page, click the edit icon (once at the top of the page, and then again by the rule) to edit the rule. Delete the existing THEN rule and replace it by clicking Add action > Forward to.... In the resulting THEN configuration, specify the same target group you have created. Under Group-level stickiness, enable stickiness and set duration to 1 day. Save the setting and then click Update.

    Step 4: Set idle timeout on load balancer

    On load balancer, update idle timeout to 400 seconds.

    Select the load balancer you have configured for this deployment, and then click Actions > Edit attributes. Set Idle timeout to 400 seconds, and then click Save.

    Step 5: Verify LBS connectivity

    Open AWS Load Balancer page (EC2> Load Balancers), select the load balancer instance that you just set up.

    Under Description, copy the DNS name and paste it into a browser to access the Tableau Server sign in page.

    If you get a 500-level error, then you may need to restart your proxy servers.

    Update DNS with public Tableau URL

    Use your domain DNS zone name from the AWS Load Balancer description to create a CNAME value in your DNS. Traffic to your URL (tableau.example.com) should be sent to the AWS public DNS name.

    Verify connectivity

    After your DNS updates are finished, you should be able to navigate to the Tableau Server sign-in page by entering your public URL, for example, https://tableau.example.com.

    Example authentication configuration: SAML with external IdP

    The following example describes how to setup and configure SAML with Okta IdP and Mellon authentication module for a Tableau deployment running in the AWS reference architecture.

    This example picks up from the previous section and assumes that you are configuring one Independent Gateway at a time.

    The example describes how to configure Tableau Server and Independent Gateway over HTTP. Okta will send request to the AWS load balancer over HTTPS, but all internal traffic will travel over HTTP. As you configure for this scenario, be aware of the HTTP vs HTTPS protocols when setting URL strings.

    This example uses Mellon as a pre-authentication service provider module on the Independent Gateway servers. This configuration ensures that only authenticated traffic connects to Tableau Server, which also acts as a service provider with the Okta IdP. Therefore, you must configure two IdP applications: one for the Mellon service provider and one for the Tableau service provider.

    Create Tableau administrator account

    A common mistake when configuring SAML is to forget to create an administrator account on Tableau Server before enabling SSO.

    The first step is to create an account on Tableau Server with a Server Administrator role. For the example Okta scenario, the username must be in a valid email address format, for example, user@example.com. You must set a password for this user, but the password will not be used after SAML is configured.

    Configure Okta pre-auth application

    The end-to-end scenario described in this section requires two Okta applications:

    • Okta pre-auth application
    • Okta Tableau Server application

    Each of these applications are associated with different metadata that you will need to configure on the reverse proxy and Tableau Server, respectively.

    This procedure describes how to create and configure the Okta pre-auth application. Later in this topic you will create the Okta Tableau Server application. For a free test Okta account with limited users, see the Okta Developer web page(Link opens in a new window).

    Create a SAML app integration for the Mellon pre-authentication service provider.

    1. Open the Okta administration dashboard > Applications Create App Integration.

    2. On Create a new app integration page, select SAML 2.0 and then click Next.

    3. On the General Settings tab, enter an App name, for example Tableau Pre-Auth, and then click Next.

    4. On the Configure SAML tab:

      • Single sign on (SSO) URL. The final element of the path in the single sign on URL is referred to as the MellonEndpointPath in the mellon.conf configuration file that follows later in this procedure. You can specify whatever endpoint you would like. In this example, sso is the endpoint. The last element, postResponse, is required: https://tableau.example.com/sso/postResponse.
      • Clear the checkbox: Use this for Recipient URL and Destination URL.
      • Recipient URL: Same as SSO URL, but with HTTP. For example, http://tableau.example.com/sso/postResponse.
      • Destination URL: same as SSO URL, but with HTTP. For example, http://tableau.example.com/sso/postResponse.
      • Audience URI (SP Entity ID). For example, https://tableau.example.com.
      • Name ID format: EmailAddress
      • Application username: Email
      • Attributes Statements: Name = mail; Name format = Unspecified; Value = user.email.

      Click Next.

    5. On the Feedback tab, select:

      • I'm an Okta customer adding an internal app
      • This is an internal app that we have created
      • Click Finish.
    6. Create the pre-auth IdP metadata file:

      • In Okta: Applications > Applications > Your new application (e.g., Tableau Pre-Auth) > Sign On
      • Adjacent to SAML Signing Certificates, click View SAML setup instructions.
      • On the How to Configure SAML 2.0 for <pre-auth> Application, page, scroll down to Optional section, Provide the following IDP metadata to your SP provider.
      • Copy the contents of the XML field and save them in a file called pre-auth_idp_metadata.xml.
    7. (Optional) Configure multifactor authentication:

      • In Okta: Applications > Applications > Your new application (e.g., Tableau Pre-Auth) > Sign On
      • Under Sign On Policy, click Add Rule.
      • On the App Sign On Rule, specify a name and the different MFA options. To test functionality, you can leave all options as default. However, under Actions, you must select, Prompt for factor, and then specify how often users must sign in. Click Save.

    Create and assign Okta user

    1. In Okta, create a user with the same username that you created in Tableau (user@example.com): Directory > People > Add person.
    2. After the user is created, assign the new Okta app to that person: Click the user name then assign the application in Assign Application.

    Install Mellon for pre-auth

    This example uses mod_auth_mellon, a popular open source module. Some Linux distributions package obsolete mod_auth_mellon versions from an older repository. Those obsolete versions may contain unknown security vulnerabilities or functional problems. If you choose to use mod_auth_mellon, check that you are using a current version.

    The mod_auth_mellon module is third-party software. We've made a best effort to verify and document the procedures to enable this scenario. However, third-party software may change or your scenario may differ from the reference architecture described here. Please refer to third-party documentation for authoritative configuration details and support.

    1. On the active EC2 instance that is running Independent Gateway, install a current version of the Mellon authentication module.

    2. Create the /etc/mellon directory:

      sudo mkdir /etc/mellon

    Configure Mellon as pre-auth module

    Run this procedure on the first instacee of Independent Gateway.

    You must have a copy of pre-auth_idp_metadata.xml file that you created from the Okta configuration.

    1. Change directory:

      cd /etc/mellon

    2. Create the service provider metadata. Run the mellon_create_metadata.sh script. You must include the entity ID and the return URL for your organization in the command.

      The return URL is referred to as the single sign on URL in Okta. The final element of the path in the return URL is referred to as the MellonEndpointPath in the mellon.conf configuration file that follows later in this procedure. In this example, we specify sso as the endpoint path.

      For example:

      sudo /usr/libexec/mod_auth_mellon/mellon_create_metadata.sh https://tableau.example.com "https://tableau.example.com/sso"

      The script returns the service provider certificate, key, and metadata files.

    3. Rename the service provider files in the mellon directory for easier readability. We will refer to these files by the following names in the documentation:

      sudo mv *.key mellon.key
      sudo mv *.cert mellon.cert
      sudo mv *.xml sp_metadata.xml

    4. Copy the pre-auth_idp_metadata.xml file to the same directory.

    5. Change ownership and permissions on all files in /etc/mellon directory:

      sudo chown tableau-tsig mellon.key
      sudo chown tableau-tsig mellon.cert
      sudo chown tableau-tsig sp_metadata.xml
      sudo chown tableau-tsig pre-auth_idp_metadata.xml 
      sudo chmod +r * mellon.key
      sudo chmod +r * mellon.cert
      sudo chmod +r * sp_metadata.xml
      sudo chmod +r * pre-auth_idp_metadata.xml 

    6. Create the /etc/mellon/conf.d directory:

      sudo mkdir /etc/mellon/conf.d
    7. Create the global.conf file in the /etc/mellon/conf.d directory.

      Copy the file contents as shown below, but update MellonCookieDomain with your root domain name. For example, if domain name for Tableau is tableau.example.com, enter example.com for the root domain.

      <Location "/">
      AuthType Mellon
      MellonEnable auth
      Require valid-user
      MellonCookieDomain <root domain>
      MellonSPPrivateKeyFile /etc/mellon/mellon.key
      MellonSPCertFile /etc/mellon/mellon.cert
      MellonSPMetadataFile /etc/mellon/sp_metadata.xml
      MellonIdPMetadataFile /etc/mellon/pre-auth_idp_metadata.xml
      MellonEndpointPath /sso
      </Location>
      
      <Location "/tsighk">
      MellonEnable Off
      </Location>
    8. Create the mellonmod.conf file in the /etc/mellon/conf.d directory.

      This file holds a single directive that specifies the location of the mod_auth_mellon.so file. The location in the example here is the default location of the file. Verify that the file is in this location, or change the path in this directive to match the actual location of mod_auth_mellon.so:

      LoadModule auth_mellon_module /usr/lib64/httpd/modules/mod_auth_mellon.so

    Create Tableau Server application in Okta

    1. In Okta dashboard: Applications > Applications > Browse App Catalog
    2. In Browse App Integration Catalog, search Tableau, select the Tableau Server tile, and then click Add.
    3. On Add Tableau Server > General Settings, enter a Label, and then click Next.
    4. In Sign-On Options, select SAML 2.0, and then scroll down to Advanced Sign-on Settings:
      • SAML Entity ID: enter the public URL, for example, https://tableau.example.com.
      • Application user name format: Email
    5. Click the Identity Provider metadata link, to launch a browser. Copy the browser link. This is the link you will use when you configure Tableau in the procedure that follows.
    6. Click Done.
    7. Assign the new Tableau Server Okta app to your user (user@example.com): Click the user name then assign the application in Assign Application.

    Set authentication module configuration on Tableau Server

    Run the following commands on Tableau Server Node 1. These commands specify the file locations for the Mellon configuration files on the remote Independent Gateway computer. Double-check that the file paths specified in these commands map to the paths and file location on the remote Independent Gateway computer.

    tsm configuration set -k gateway.tsig.authn_module_block -v "/etc/mellon/conf.d/mellonmod.conf" --force-keys
    tsm configuration set -k gateway.tsig.authn_global_block -v "/etc/mellon/conf.d/global.conf" --force-keys

    To reduce downtime, do not apply changes until you have enabled SAML as described in the next section.

    Enable SAML on Tableau Server for IdP

    Run this procedure on Tableau Server Node 1.

    1. Download the Tableau Server application metadata from Okta. Use the link that you saved from the previous procedure:

      wget https://dev-66144217.okta.com/app/exk1egxgt1fhjkSeS5d7/sso/saml/metadata -O idp_metadata.xml

    2. Copy a TLS certificate and related key file to the Tableau Server. The key file must be an RSA key. For more information about SAML certificate and IdP requirements, see SAML Requirements (Linux(Link opens in a new window)).

      To simplify certificate management and deployment, and as a security best practice, we recommend using certificates generated by a major trusted-third party certificate authority (CA). Alternatively, you may generate self-signed certificates or use certificates from a PKI for TLS.

      If you do not have a TLS certificate, you can generate a self-signed certificate using the embedded procedure below.

      Generate a self-signed certificate

      Run this procedure onTableau Server Node 1.

      1. Generate signing root certificate authority (CA) key:

        openssl genrsa -out rootCAKey-saml.pem 2048

      2. Create the root CA certificate:

        openssl req -x509 -sha256 -new -nodes -key rootCAKey-saml.pem -days 3650 -out rootCACert-saml.pem

        You will be prompted to enter values for the certificate fields. For example:

        Country Name (2 letter code) [XX]:US
        State or Province Name (full name) []:Washington
        Locality Name (eg, city) [Default City]:Seattle
        Organization Name (eg, company) [Default Company Ltd]:Tableau
        Organizational Unit Name (eg, section) []:Operations
        Common Name (eg, your name or your server's hostname) []:tableau.example.com
        Email Address []:example@tableau.com
      3. Create the certificate and related key (server-saml.csrand server-saml.key in the example below). The subject name for the certificate must match the public host name of the Tableau host. The subject name is set with the -subj option with the format "/CN=<host-name>", for example:

        openssl req -new -nodes -text -out server-saml.csr -keyout server-saml.key -subj "/CN=tableau.example.com"

      4. Sign the new certificate with the CA certificate that you created above. The following command also outputs the certificate in the crt format:

        openssl x509 -req -in server-saml.csr -days 3650 -CA rootCACert-saml.pem -CAkey rootCAKey-saml.pem -CAcreateserial -out server-saml.crt

      5. Convert the key file to RSA. Tableau requires an RSA key file for SAML. To convert the key, run the following command:

        openssl rsa -in server-saml.key -out server-saml-rsa.key

    3. Configure SAML. Run the following command, specifying your entity ID and return URL, and the paths to the metadata file, certificate file, and key file:

      tsm authentication saml configure --idp-entity-id "https://tableau.example.com" --idp-return-url "https://tableau.example.com" --idp-metadata idp_metadata.xml --cert-file "server-saml.crt" --key-file "server-saml-rsa.key"

      tsm authentication saml enable

    4. If your organization is running Tableau Desktop 2021.4 or later, then you must run the following command to enable authentication through the reverse proxy servers.

      Versions of Tableau Desktop 2021.2.1 - 2021.3 will work without running this command, provided that your pre-authentication module (e.g., Mellon) is configured to allow top-level domain cookie preservation.

      tsm configuration set -k features.ExternalBrowserOAuth -v false

    5. Apply configuration changes:

      tsm pending-changes apply

    Restart tsig-httpd service

    As your Tableau Server deployment applies changes, sign back into the Tableau Server Independent Gateway computer and run the following commands to restart the tsig-httpd service:

    sudo su - tableau-tsig
    systemctl --user restart tsig-httpd
    exit

    Validate SAML functionality

    To validate end-to-end SAML functionality, sign-in to Tableau Server with the public URL (e.g., https://tableau.example.com) with the Tableau admin account that you created at the beginning of this procedure.

    If TSM doesn't start ("gateway error") or if you get browser errors when you attempt to connect, see Troubleshooting Tableau Server Independent Gateway.

    Configure authentication module on second instance of Independent Gateway

    After you have successfully configured the first instance of Independent Gateway, deploy the second instance. The example here is the final process for installing the AWS/Mellon/Okta scenario described in this topic. The procedure assumes that you have already installed Independent Gateway on the second instance as described in this topic previously (Install Independent Gateway).

    The process for deploying the second Independent Gateway requires the following steps:

    1. On the second instance of Independent Gateway: Install the Mellon auth module.

      Do not configure the Mellon auth module as described earlier in this topic. Instead, you must clone the configuration as described in the subsequent steps.

    2. On the configured (first) instance of Independent Gateway:

      Take a tar copy of the existing Mellon configuration. The tar backup will preserve all directory hierarchy and permissions. Run the following commands:

      cd /etc
      sudo tar -cvf mellon.tar mellon

      Copy mellon.tar to the second instance of Independent Gateway.

    3. On the second instance of Independent Gateway:

      Extract ("unzip") the tar file to the second instance in the /etc directory. Run the following commands:

      cd /etc
      sudo tar -xvf mellon.tar

    4. On Node 1 of the Tableau Server deployment: Update the connection file (tsig.json) with the connection information from the second Independent Gateway. You will need to retrieve the authentication key as described in this topic previously (Install Independent Gateway).

      An example connection file (tsig.json) is shown here:

      {
      "independentGateways": [
       {
         "id": "ip-10-0-1-169.ec2.internal",
         "host": "ip-10-0-1-169.ec2.internal",
         "port": "21319",
         "protocol" : "http",
         "authsecret": "13660-27118-29070-25482-9518-22453"
       },
       {
         "id": "ip-10-0-2-230.ec2.internal",
         "host": "ip-10-0-2-230.ec2.internal",
         "port": "21319",
         "protocol" : "http",
         "authsecret": "9055-27834-16487-27455-30409-7292"
       }]
       }
    5. On Node 1 of the Tableau Server deployment: Run the following commands to update the configuration:

      tsm stop
      tsm topology external-services gateway update -c tsig.json
      
      tsm start
    6. On both instances of Independent Gateway: As Tableau Server is starting, restart the tsig-httpd process:

      sudo su - tableau-tsig
      systemctl --user restart tsig-httpd
      exit
    7. In AWS EC2>Target groups: Update target group to include the EC2 instance running the second Independent Gateway instance.

      Select the target group that you just created, and then click the Targets tab: 

      • Click Edit.
      • Select the EC2 instance of the second Independent Gateway computer, and then click Add to registered.Click Save.
    Thanks for your feedback!Your feedback has been successfully submitted. Thank you!