Configure Connected Apps with Direct Trust

Beginning in early January 2022, Tableau-connected apps enable a seamless and secure authentication experience by facilitating an explicit trust relationship between your Tableau Cloud site and external applications.

Note: In order for the session token to be valid, the clocks of the external application and the server that hosts the external application must be set to Coordinated Universal Time (UTC). If either clock uses a different standard, the connected app will not be trusted.

How Tableau-connected apps work with direct trust

The trust relationship between your Tableau Cloud site and external application is established and verified through an authentication token in the JSON Web Token (JWT) standard, which uses a shared secret provided by the Tableau-connected app and signed by your external application.

Key components of a connected app

The following components of the connected work together with the JWT in your external application to authenticate users and display embedded content.

  • Secrets: Secrets are keys shared by Tableau and your external application. They are used in signatures that form the JWT. A secret is required when using connected apps for embedding authentication or REST API authorisation. Secrets can be created in a connected app, do not expire and remain valid until deleted.
  • Domain allowlist (embedding workflows only): You can specify a list of allowed domains in each connected app. Tableau content embedded through a connected app is only allowed under the specified domains. This helps ensure that content is exposed under the domains that are secured and approved by your business.
  • Access level (embedding workflows only): You can specify what content can be embedded through a connected app by associating a connected app with one project or all projects. If you specify one project, only the content in the selected project can be embedded through the connected app. If you want to specify multiple projects, you must use the Tableau REST API.

Connected app workflow

Embedding workflows

The diagram below illustrates how authentication works between your external application (web server and webpage) and Tableau-connected app.

  1. User visits the web page: When a user visits the embedded content on a web page, the web page sends a GET request to your external application to retrieve the HTML on that web page.
  2. External application constructs an authentication token: The external application constructs a JWT, which contains a secret from the connected app (see Step 3 below for additional JWT requirements) and the scope of user access for the embedded content. The secret is signed by the external application and is used for verification of the trust relationship in a later step.
  3. External application responds with authentication token: The external application responds to the page with the JWT in the embedded content’s URL called by the web page.
  4. Webpage requests content from Tableau: With the attempt to load the embedded content, the webpage calls the embedded content’s URL, which sends a GET request to Tableau.
  5. Tableau validates the token: Tableau receives the JWT and verifies the trust relationship with the external application by identifying the connected app and shared secret used in the JWT. Then Tableau creates a session for the user. The session not only respects the embedding scopes defined in the JWT, but also the restrictions specified in the connected app, including the allowed domains and allowed projects.
  6. Tableau returns the content based on the restricted embedding context: The embedded content only loads when the page is under an allowed domain and the content is published to an allowed project (if applicable). The authenticated user can only interact with the embedded content by the scope defined in the JWT.

Create a connected app

Step 1: Create a connected app

Create a connected app from Tableau Cloud’s Settings page.

  1. As a site admin, sign in to Tableau Cloud.

  2. From the left pane, select Settings > Connected Apps.

  3. Click the New Connected App button drop-down arrow and select Direct Trust.

  4. In the Create Connected App dialog box, do one of following:
    • For REST API authorisation workflows (including Metadata API workflows that use the REST API for authentication), in the Connected app name text box, enter a name for the connected app and click the Create button.

      Note: You can ignore Access level and Domain allowlist when configuring a connected app for REST API and Metadata API authorisation.

    • For embedding workflows, do the following:

      1. In the Connected app name text box, enter a name for the connected app.
      2. From the Applies to drop-down menu, select All project or Only one project to control which views or metrics can be embedded. If you select the "Only one project" option, select the specific project to scope to. For more information about these two options, see Access level (embedding workflows only).

        Notes: 

      3. In the Domain allowlist, specify the domains using the rules described in Domain formatting below to control where views or metrics can be embedded.

        Important: We recommend using the domain allowlist as a security best practice to ensure Tableau content is only embedded in locations that you allow.

      4. When finished, click the Create button.

  5. Next to the connected app's name, click on the actions menu and select Enable. For security purposes, a connected app is set to disabled by default when created.

  6. Make note of the connected app’s ID, also known as the client ID, to use in Step 3 below.

Step 2: Generate a secret

You can generate a total of two secrets for each connected app. The second secret can be used for secret rotation purposes to help protect against issues if a secret is compromised.

  1. On the detail page of the connected app you created in Step 1, click the Generate New Secret button.

  2. Make note of the secret ID and secret value to use in Step 3 below.

Step 3: Configure the JWT

After you’ve generated a secret, you want to enable your external application to send a valid JWT. JWT is a standard used to securely transfer information between two parties. The JWT is signed by your external application to securely send information to Tableau Cloud. The JWT references the connected app, the user that the session is being generated for and the level of access the user should have.

A valid JWT includes the following information:

  • Connected app ID, also known as the client ID, from Step 1
  • Secret ID and secret value generated in Step 2

  • Registered claims and header:

    ClaimNameDescription or required value
    "kid"Secret IDRequired (in header). The connected app's secret key identifier.
    "iss"IssuerRequired (in header). Unique issuer URI that identifies the trusted connect app and its signing key.
    "alg"AlgorithmRequired (in header). JWT signing algorithm. Only HS256 is supported.
    "sub"SubjectUsername (email address) of the authenticated Tableau Cloud user.
    "aud"AudienceValue must be: 'tableau'.
    "exp"Expiry TimeA valid JWT must not have expired. The expiry time (in UTC) of the JWT must be within the maximum validity period, which is 10 minutes.
    "jti"JWT IDRequired as a claim. The JWT ID claim provides a unique identifier for the JWT and is case sensitive.
    "scp"

    Important: Do not use "scope".

    ScopeFor embedding workflows, supported values include:

    "tableau:views:embed"
    tableau:views:embed_authoring
    "tableau:metrics:embed" (Retired in October 2023 (Tableau 2023.3))
    tableau:ask_data:embed” (Retired in February 2024 (Tableau 2024.1))

    Notes:

    • Values must be passed as a list type.
    • For tableau:views:embed and tableau:views:embed_authoring, the scope respects users’ permissions already configured in Tableau Cloud and allows users to interact with the tools in the embedded view if available in the original view.
    • We recommend that the embed code excludes the toolbar parameter. For more information see Known issues (embedding workflows only) below.

    For REST API authorisation workflows, see REST API methods that support JWT authorisation.

    For Metadata API workflows that use the REST API for authentication, the only supported scope is tableau:content:read.

    https://tableau.com/odaOn-demand access – claim (enable capability)For embedding workflows only.

    Value must be "true" and one or more Tableau Cloud groups must be specified (see next row). For more information, see the On-demand access (embedding workflows only) section below.

    https://tableau.com/groupsOn-demand access – claim (specify group name)For embedding workflows only.

    Value must match the name of one or more groups in Tableau Cloud. For more information, see the On-demand access (embedding workflows only) section below.

      For embedding workflows only.

    Value must match the name of one or more groups in Tableau Cloud. For more information, see the Dynamic group membership (embedding workflows only) section below.

    (User attribute)(User attribute values)For embedding workflows only.

    You can include user attributes in the JWT. Then when user attribute functions are used in embedded content, Tableau checks the authenticated user’s context and determines what data can display at runtime.

    Notes:

Example JWTs

Here are example JWTs in both Java and Python languages. The Java and Python examples use the nimbus-jose-jwt library and the PyJWT library, respectively.

Java

import com.nimbusds.jose.*;
import com.nimbusds.jose.crypto.*;
import com.nimbusds.jwt.*;

import java.util.*;

...

String secret = "secretvalue";
	String kid = "connectedAppSecretId";
	String clientId = "connectedAppClientId";
	List<String> scopes = new
ArrayList<>(Arrays.asList("tableau:views:embed"));
	String username = "user@domain.com";
	JWSSigner signer = new MACSigner(secret);
	JWSHeader header = new
JWSHeader.Builder(JWSAlgorithm.HS256).keyID(kid).customParam("iss", clientId).build();
	JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
		.issuer(clientId)
		.expirationTime(new Date(new Date().getTime() + 60 * 1000)) //expires in 1 minute
		.jwtID(UUID.randomUUID().toString())
		.audience("tableau")
		.subject("username")
		.claim("scp", scopes)
		.claim("https://tableau.com/oda", "true")
		.claim("https://tableau.com/groups", "Contractors", "Team C", "Group1", "Group2")
		.claim("Region", "East")
		.build();
	SignedJWT signedJWT = new SignedJWT(header, claimsSet);
	signedJWT.sign(signer);
	model.addAttribute("token", signedJWT.serialize());

Python

import jwt

token = jwt.encode(
	{
		"iss": connectedAppClientId,
		"exp": datetime.datetime.utcnow() + datetime.timedelta(minutes=5),
		"jti": str(uuid.uuid4()),
		"aud": "tableau",
		"sub": user,
		"scp": ["tableau:views:embed", "tableau:metrics:embed"],
		"https://tableau.com/oda":"true",
		"https://tableau.com/groups": ["Contractors", "Team C", "Group1", "Group2"],
		"Region": "East"
	},
		connectedAppSecretKey,
		algorithm = "HS256",
		headers = {
		'kid': connectedAppSecretId,
		'iss': connectedAppClientId
        }
  )

After you’ve configured the JWT, when the code is run by your external application, it will generate a token.

Step 4: Next steps

For embedding workflows

After the JWT has been configured, you must add embed code to your external application. Ensure that you include the valid JWT you configured in Step 3 above in the web component that your external application calls.

For more information about embedding Tableau content, see one or both of the following:

Note: For users to successfully authenticate when they access embedded content, browsers must be configured to allow third-party cookies.

For REST API authorisation workflows

After the JWT has been configured, you must add the valid JWT to the REST API Sign In request for authorised access. For more information, see Access Scopes for Connected Apps.

For Metadata API workflows

After the JWT has been configured, you must add the valid JWT to the REST API Sign In request. For more information, see Access Scopes for Connected Apps.

Manage a connected app

The Connected Apps page is where you can manage all the connected apps for your site. You can perform tasks such creating, deleting and disabling connected apps, and revoking or generating new secrets if existing secrets have been compromised.

  1. As a site admin, sign in to Tableau Cloud.

  2. From the left pane, select Settings > Connected Apps.

  3. Tick the box next to the connected app you want to manage and do one or more of the following:

    • Generate a new secret according to the rotation timeline specified by your organisation’s security policies. To generate an additional secret, click on the name of the connected app and then click the Generate New Secret button. A connected app can have a maximum of two secrets. Both secrets can be active at the same time, do not expire and remain valid until deleted.

    • Review the connected app details by clicking the name of the connected app to see when the connected app was created, its ID, project and domain scopes, and its secrets.

    • Change the project scope or domain by selecting Edit in the Actions menu. Make your changes and click Update.

      Note: If you change the project or domain scopes and the embedded content doesn’t exist in either the new project or new domain, the embedded view or metric is unable to display and users will see an error when accessing the embedded content.

    • Delete a secret by clicking the connected app's name. On the connected app’s page, click Actions next to the secret and select Delete. In the confirmation dialog box, select Delete again.

      Note: If the connected app’s secret is being used by an external application, the embedded view or metric is unable to display after the secret is deleted. For more information, see Effects of disabling or deleting a connected app, or deleting a secret below.

    • Disable a connected app by selecting Disable in the Actions menu. If the connected app is being used by an external application, the embedded view or metric is unable to display after the connected app is disabled. For more information, see Effects of disabling or deleting a connected app, or deleting a secret below.

Effects of disabling or deleting a connected app, or deleting a secret

To display embedded content to your user or enable REST API access through a connected app, the connected app must be enabled and its secret generated. If the connect app is being used in your external application and is either disabled or deleted, or its secret deleted or replaced, users will get a 403 error.

To avoid this issue, ensure the connected app is enabled and the JWT is using the correct secret ID and value.

Access level (embedding workflows only)

You can select one of two project types when configuring a connected app's access level. The access level controls which content can be embedded.

  • All projects: This option enables the content in all projects to be embedded
  • Only one project: This option enables only the content in the specified project to be embedded. If the specified project contains nested projects, embedding content in those nested projects is not enabled.

About multiple projects

Starting in February 2024 (Tableau 2024.1), you can enable the content in multiple projects for a connected app using the Tableau REST API only. To specify which projects, use the "project IDs" in either the Create a Connected App(Link opens in a new window) or Update a Connected App(Link opens in a new window) methods.

Note: When multiple projects are configured for your connected app, Tableau displays Multiple projects for the connected app's access level. If you select either Only one project or All projects and update the connected app, the "Multiple projects" option will no longer be visible. If you need to configure the connected app for multiple projects again, you must use the REST API.

Domain allowlist rules (embedding workflows only)

The connected app’s domain allowlist enables you to restrict access to embedded Tableau content to all domains or some domains, or to exclude some domains or block all domains.

Important: We recommend using the domain allowlist as a security best practice to ensure Tableau content is only embedded in locations that you allow.

Domain options

You can select one of two options when configuring a connected app’s domain allowlist:

  • All domains: As the default option, this option enables unrestricted access to embedded content.
  • Only specific domains: This option gives you the ability to scope down access to embedded content. If you use this option, follow the formatting rules specified in the following section, Domain formatting.

Domain formatting

In the domain allowlist text box, you can enter one or more domains using the formatting examples below.

Note: Domain formatting rules also apply when using the Connect App methods(Link opens in a new window) in the Tableau REST API.

Here are some formatting examples based on common scenarios:

To specify...ExampleEmbedding access
Range of domains*.myco.comEmbedded content is accessible from all subdomains under myco.com.
All portsmyco.com:*Embedded content is access from all ports in myco.com.
Specific portmyco.com:8080Embedded content is accessible from port 8080 in myco.com only.
Multiple discrete domainsmyco.com
events.myco.com
ops.myco.com

Embedded content is accessible from all three domains.

Note: When specifying multiple domains, type each domain on a new line or separate domains with a space. For the REST API, domains must be separated by a space.

Secure traffic onlyhttps:Embedded content is securely accessible regardless of domain.
Secure traffic to all ports for a range of domainshttps:*myco.com:*Embedded content is securely accessible from all ports on all subdomains under myco.com.
No domains[no domains]Access to embedded content is blocked.

On-demand access (embedding workflows only)

Beginning in October 2023, if your site is licensed with the Embedded Analytics(Link opens in a new window) usage-based model, you can extend access to your embedded Tableau content to more users using on-demand access. With on-demand access, you allow your users to interact with embedded Tableau content authenticated through your connected app without needing to provision those users in your Tableau Cloud site. On-demand access removes the requirement for you to add and manage users in Tableau Cloud to support access to embedded content.

How on-demand access works

Access to embedded Tableau content using on-demand access is determined by group-level permissions either inherited by (for example, at the project-level) or directly applied to the content. Users like site admins, project owners or leaders, and content owners can assign group-level permissions to content. When users access the embedded content enabled through the on-demand access capability, Tableau validates the JWT contains the correct group membership claims before displaying the content.

Prerequisites

The following criteria must be true to enable on-demand access for embedded content:

  1. Site is licensed with the Embedded Analytics(Link opens in a new window) usage-based model
  2. On-demand access capability is enabled for the group
  3. Group permissions are specified for the Tableau content
  4. Tableau connected app is created
  5. JWT used by the connected app includes the https://tableau.com/oda and https://tableau.com/groups claims
  6. Tableau content is embedded in an external application

When these criteria are met, your users can interact with embedded Tableau content enabled through on-demand access capability.

Enable on-demand access capability

To enable the on-demand access capability for a group, when creating or editing a group, you must select the Allow on-demand access check box. For more information about creating groups, see Create a Group and Add Users to It.

You can also enable this capability using the Tableau REST API. For more information, see the Create Group(Link opens in a new window) and Update Group(Link opens in a new window) methods in the Tableau REST API Help.

Capabilities when on-demand access is enabled

Users accessing embedded Tableau content have View capabilities(Link opens in a new window) on the content. Users have View capabilities regardless of the selected template or customised capabilities that might be configured for the group (for example, a user with a role of Viewer will never be able to download a data source even if that capability is explicitly granted to them on a specific data source).

Monitor on-demand access

If you have Tableau Cloud with Advanced Management(Link opens in a new window), you can use Activity Log to monitor on-demand access usage. Events in the Activity Log that capture on-demand access include, but are not limited to, access view and login. For more information about these events, see Activity Log Event Type Reference.

Limitations

Because on-demand access workflows enable certain users who access embedded Tableau Content to be anonymous and ephemeral to Tableau Cloud, the following capabilities are not available to users who access embedded content enabled through the on-demand access capability:

  • Create custom views
  • Share content using the content's share button
  • Subscribe to content for email snapshots of information

Note: Beginning in February 2024 (Tableau 2024.1), Tableau REST API requests can be made as a user with on-demand access.

Dynamic group membership (embedding workflows only)

Beginning in June 2024 (Tableau 2024.2), if connected apps are configured and the capability’s setting is enabled, you can dynamically control group membership through custom claims included in the JWT sent by the external application.

When configured, during user authentication, the external application sends the JWT that contains two custom claims for group membership: group (https://tableau.com/groups) and group names (for example, "Group1" and "Group2") to assert the user into. Tableau validates the JWT and then enables access to the groups and the content whose permissions are dependent on those groups.

For more information, see Dynamic group membership using assertions.

Known issues (embedding workflows only)

There are a couple of known issues when using connected apps that will be addressed in a future release.

  • Toolbar features: When embedded content has the toolbar parameter defined, not all toolbar features will work. To work around this issue, we recommend you hide the toolbar parameter like in the example below.

    <tableau-viz id='tab-viz' src='https://online.tableau.com/t/<your_site>/...'
    	toolbar='hidden'>
    </tableau-viz>

  • Published data sources: Published data sources set to Prompt User for database credentials will not display. To work around this issue, if possible, we recommend data source owners embed their database credentials instead.

  • Ask Data objects in embedded dashboards: Ask Data objects in embedded dashboards will not load. (In February 2024 (Tableau 2024.1), Tableau retired Ask Data.)

  • Metrics and domain allowlists: Embedded metrics views will be displayed despite access restrictions that might be specified in the connected apps' domain allowlists. Note: Metrics data accessed from toolbars of embedded views will work as expected. (In October 2023 (Tableau 2023.3), Tableau retired the ability to embed metrics.)

Troubleshoot

You can refer to Troubleshoot Connected Apps - Direct Trust for errors that might be associated with the connected app and suggested troubleshooting steps.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!