Use your own identity provider with Amazon Athena

Applies to: Tableau Cloud, Tableau Desktop, Tableau Prep, Tableau Server

You can use your own identity provider (IDP) with the Amazon Athena connector.

Note: The identity provider must support OAuth 2.0/OIDC

Overview

Depending on the identity provider you use, there are different steps you need to follow to set up your own identity provider (IDP). The following is a high overview of the process.

  1. Set Up a trust relationship between the identity provider, Tableau and the data source.
  2. Create OAuth Client Credentials for Tableau.
  3. Implement the OAuth Client details in Tableau.
  4. Create a policy for the federated identity.
  5. Connect to Amazon Athena.

Amazon Athena and Okta Example

The following example shows the multi-step process to create a 3 way trust and federated OAuth solution between Tableau, Okta and AWS. This document assumes the reader already has an Okta and AWS account.

How Tableau interacts with OAuth

This example uses OAuth to connect Tableau to Data. When properly configured, when a user attempts to connect to Data, Tableau will automatically send the user to the Identity Provider to authenticate themselves, and consent to delegating permission to their data. Tableau will receive and use OAuth Access and Refresh tokens to connect to the data source.

Note: In-depth instructions are only available for the steps in Tableau.

Step 1: Set up Okta as an Identity Provider in the AWS IAM Identity Centre

This step requires set-up in both Okta and AWS. For detailed instructions go to Amazon documentation.

Step 2: Create OAuth Client applications for Tableau in Okta

To get started, see Applications and connections, in Okta documentation.

Step 3: Implement the OAuth Client in Tableau

OAuth is a delegated access protocol. The user, after authenticating themselves, is delegating permission to Tableau to act on their behalf. Complete the following steps to set up the OAuth Client.

Note: This step requires the use of an OAuth Config file. If you don’t have an OAuth Config file, you can find an example at the bottom of this page or on our Github Page, under OAuth Config file

Tableau Server or Tableau Cloud

  1. Navigate to Tableau Server or Tableau Cloud site settings.
  2. Add the OAuth Client ID and Client Secret from the Okta App.
  3. Upload an OAuth Config file.
  4. Select Add OAuth Client to finish.

Tableau Desktop and Tableau Bridge Client

  1. Open your OAuth Config file from the directory you saved it in.
  2. Adjust the ClientID, Client Secret, authUri and tokenUri in the XML file with the information from your Okta app for Tableau Desktop.
  3. Save the OAuth config file to the “OAuthConfigs” folder in your My Tableau Repository folder.
  4. If you are running the bridge client, restart the bridge client to ensure a new OAuth config is loaded.

Step 4. Create a policy for the federated identity in AWS

Create an AWS trust relationship that allows the Tableau federated identity application (clientID) to be trusted to Assume Role with Web Identity. This step is done in AWS, for detailed instructions see Grant users and groups access to AWS resources in Amazon documentation.

Step 4 allows Tableau to provide the OIDC Identity Token received from Okta (after the user authenticates), along with the IAM Role provided by the user to AWS. AWS is able to validate the token and signature from Okta, extract the user ID from the token, look up the mapping of user to IAM role, and either permit or block Tableau from Assuming the Role on the user’s behalf. (i.e. AssumeRoleWithWebIdentity).

Step 5: Connect to Athena

Complete the following steps in Tableau Server or Tableau Cloud or Tableau Desktop.

  1. Sign in to Tableau.
  2. Under Connect, select To a Server.
  3. Select Amazon Athena.
  4. In the connection dialog, enter the appropriate connection parameters and ARN for the role you want Tableau to assume.
  5. Select the OAuth Provider configured in Step 3. (If only one OAuth client exists, it will be the default. If more than one OAuth client exists, a Creator can choose as needed.)
  6. Select Sign In to connect to Amazon Athena.

OAuth Config file example

You can use the following file as a template to create your own OAuth file, however, make sure you update it with your specific information like the client ID.

Copy

OAuth Config file example

<pluginOAuthConfig>

  <dbclass>athena</dbclass>

  <oauthConfigId>custom_NAME</oauthConfigId>
 <!-- MUST INCLUDE "custom_" --> 
  <clientIdDesktop>CLIENT_ID</clientIdDesktop>
  <clientSecretDesktop>CLIENT_SECRET</clientSecretDesktop>
  <redirectUrisDesktop>http://localhost:56666/Callback</redirectUrisDesktop>
  <redirectUrisDesktop>http://localhost:56667/Callback</redirectUrisDesktop>

  <!--
    <redirectUrisDesktop>http://localhost:56668/Callback</redirectUrisDesktop>
    -->
  <authUri>AUTH_URI</authUri>

  <tokenUri>TOKEN_URI</tokenUri>

  <!-- EXAMPLEs

  <authUri>https://EXAMPLE.okta.com/oauth2/v1/authorize</authUri>
  <tokenUri>https://EXAMPLE.okta.com/oauth2/v1/token</tokenUri>
  -->

  <!--

  <scopes>openid</scopes>

  <scopes>email</scopes>

  <scopes>profile</scopes>

  <scopes>offline_access</scopes>
  -->

  <scopes>openid email profile offline_access</scopes>

  <capabilities>

    <entry>

      <key>OAUTH_CAP_SUPPORTS_HTTP_SCHEME_LOOPBACK_REDIRECT_URLS</key>

      <value>false</value>

    </entry>

    <entry>

      <key>OAUTH_CAP_FIXED_PORT_IN_CALLBACK_URL</key>

      <value>true</value>

    </entry>

    <entry>
      <key>OAUTH_CAP_PKCE_REQUIRES_CODE_CHALLENGE_METHOD</key>

      <value>false</value>

    </entry>

    <entry>
      <key>OAUTH_CAP_REQUIRE_PKCE</key>

      <value>false</value>

    </entry>

    <entry>
      <key>OAUTH_CAP_SUPPORTS_STATE</key>

      <value>true</value>

    </entry>

    <entry>
      <key>OAUTH_CAP_SUPPORTS_CUSTOM_DOMAIN</key>

      <value>false</value>

    </entry>

    <entry>
      <key>OAUTH_CAP_CLIENT_SECRET_IN_URL_QUERY_PARAM</key>

      <value>true</value>

    </entry>

    <entry>
      <key>OAUTH_CAP_SUPPORTS_GET_USERINFO_FROM_ID_TOKEN</key>

      <value>true</value>

    </entry>

    <entry>
      <key>OAUTH_CAP_USE_SCOPE_IN_REFRESH_REQUEST</key>

      <value>true</value>

    </entry>

  </capabilities>

  <accessTokenResponseMaps>

    <entry>
      <key>ACCESSTOKEN</key>

      <value>access_token</value>

    </entry>

    <entry>
      <key>REFRESHTOKEN</key>

      <value>refresh_token</value>

    </entry>

    <entry>
      <key>id-token</key>

      <value>id_token</value>

    </entry>

    <entry>
      <key>access-token-issue-time</key>

      <value>issued_at</value>

    </entry>

    <entry>
      <key>access-token-expires-in</key>

      <value>expires_in</value>

    </entry>

    <entry>
      <key>username</key>

      <value>preferred_username</value>

    </entry>
  
</accessTokenResponseMaps>

  <refreshTokenResponseMaps>

    <entry>
      <key>ACCESSTOKEN</key>

      <value>access_token</value>

    </entry>

    <entry>
      <key>REFRESHTOKEN</key>

      <value>refresh_token</value>

    </entry>

    <entry>
      <key>id-token</key>

      <value>id_token</value>

    </entry>

    <entry>
      <key>access-token-issue-time</key>

      <value>issued_at</value>

    </entry>

    <entry>
      <key>access-token-expires-in</key>

      <value>expires_in</value>

    </entry>
  
</refreshTokenResponseMaps>

</pluginOAuthConfig>

Back to top
Thanks for your feedback!Your feedback has been successfully submitted. Thank you!