Change OAuth to Saved Credentials

By default, the connector uses a managed keychain for OAuth tokens that are generated for Tableau Server by the provider and shared by all users in the same site. You can configure Tableau Server with saved client ID and client secret. There are two scenarios where you might want to do this:

  • Salesforce data connector—If you're using the Salesforce data connector, you can configure Tableau Server with an OAuth client ID and secret, so the connector can use saved credentials.
  • Einstein Discovery—If you are integrating Einstein Discovery extensions with Tableau Server, you need to do this OAuth client ID and secret configuration. The ability to integrate Einstein Discovery and Tableau Server was added in version 2021.1.0. For more information, see Configure Einstein Discovery Integration.

For more information about managed keychain and saved credentials, see OAuth Connections.

This topic describes how to set up your data sources and Einstein Discovery extensions for OAuth saved credentials. Complete these steps for each Tableau Server instance.

Set up OAuth by following these two procedures:

  • Create a Connected App in Salesforce.
  • Use the information you obtained to configure your server.

Create a Connected Salesforce App

Note: This procedure documents the process in Salesforce Lightning. If you are using the traditional interface, the navigation may be different but the configuration is the same.

  1. Sign in to your developer account, click your user name in the upper-right, and then select Setup.

  2. In the left navigation column, under Apps, select App Manager .

  3. In the Connected Apps section, click New Connected App.

  4. In Basic Information, give the app a name, tab through the api field so it will self-populate in the correct format, and enter a contact email for the app.

  5. In the API [Enable OAuth Settings] section, select Enable OAuth Settings.

  6. In the new OAuth settings that appear, for Callback URL, type the fully qualified domain name of your server, using the https protocol, and append the following text to the URL: auth/add_oauth_token.

    For example:

  7. Move the following items from Available OAuth Scopes to Selected OAuth Scopes:

    • Access and manage your data (api)

    • Access your basic information (id)

    • Perform requests on your behalf at any time (refresh_token)

  8. Click Save.

After you save the app, Salesforce populates the API section with the following IDs that you will use to configure Tableau Server:

  • Consumer Key
  • Consumer Secret
  • Callback URL

Configure Tableau Server for OAuth

Once your connected app is created in Salesforce and you have the Customer Key, Customer Secret, and the Callback URL, you can configure Tableau Server for Salesforce data connections and Einstein Discovery.

  1. On the Tableau Server computer, at a command prompt, run the following commands:

    tsm configuration set -k oauth.salesforce.client_id -v <your_customer_key>

    tsm configuration set -k oauth.salesforce.client_secret -v <your_customer_secret>

    tsm configuration set -k oauth.salesforce.redirect_uri -v <your_redirect_URL>

  2. (Optional) To change the default login server, type the following command:

    tsm configuration set -k oauth.salesforce.server_base_url -v <URL>

  3. Enter the following command to apply changes:

    tsm pending-changes apply

    If the pending changes require a server restart, the pending-changes apply command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behavior. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.

Managing access tokens

After you configure the server for OAuth, you can allow users to manage their own access tokens in their profile settings, or you can manage the tokens centrally. For more information, see Allow Saved Access Tokens.

Thanks for your feedback!