Tableau Desktop and Web Authoring Help

Starting in Tableau 2024.3 for Tableau Cloud, you can use OAuth 2.0/OIDC to federate identity from an external identity provider to HANA.

Depending on the identity provider, there are different steps needed to configure the integration. This is a high-level overview.

Note: Single use refresh tokens are not supported for OAuth connections to Tableau at this time. In most cases, you can set up your identity provider (such as Okta) to use rolling refresh tokens instead. For more information, see your provider’s OAuth documentation.

Configure IDP on HANA

For information on configuring your IdP on HANA, see Single Sign-On Using JSON Web Tokens(Link opens in a new window) in the SAP help system.

Here are some examples of different ways to set up IdP:

• Okta IdP using HANA Cockpit: Empower your users to access SAP HANA data with Okta identities(Link opens in a new window)
• Azure IdP using HANA Studio: Setting Up an SAP HANA Instance with OAuth or SSO(Link opens in a new window)

Configure the IDP

1. Create OAuth clients on the IDP for Tableau Desktop, and Tableau Server or Tableau Cloud. The Desktop client should enable PKCE(Link opens in a new window) and use http://localhost redirects.

2. Create the Tableau OAuth config files. For details on how to do this, see OAuth Configuration and Usage(Link opens in a new window) on GitHub(Link opens in a new window), and examples here(Link opens in a new window). We welcome examples for other IDPs.

   1. Be sure to prefix the Tableau OAuth config IDs with “custom_”.

   2. If your IDP supports dynamic localhost port then disable OAUTH_CAP_FIXED_PORT_IN_CALLBACK_URL. If your IDP does not support this, make sure to add several localhost callback URLs to the allowlist in the config file and on the IDP.

3. Install the new Tableau OAuth configuration files in the OAuthConfigs folder associated with each application on desktop hosts (Tableau Desktop, Tableau Prep Builder, Tableau Bridge), and on each Tableau Server and Tableau Cloud site that will be using OAuth, via the site settings page. For more details, see Custom OAuth Configs on Desktop(Link opens in a new window) and Site Level OAuth Clients(Link opens in a new window).

Connect to HANA

The user must select Sign in using OAuth, and select the OAuth Provider installed earlier.

Okta

If using Okta it’s better to use a “custom authorization server” rather than the “org authorization server.” The custom authorization servers are more flexible. There is a custom authorization server created by default, which is called “default”. The authorization URL should look like this:

https://${yourOktaDomain}/oauth2/{authServerName}/v1/authorize