This topic describes how to connect from Tableau Server to Salesforce CDP through OAuth authentication.

The steps described in this topic are required to use Salesforce CDP data in Tableau Server. More specifically, these steps enable your users to Use Salesforce CDP Data in Tableau as described in Salesforce Help, publish Salesforce CDP-based workbooks and data sources to Tableau Server, and keep the Salesforce CDP data fresh.

Setting up OAuth for Salesforce CDP consists of the following tasks:

  1. Set up the Salesforce CDP connector.
  2. Install the Salesforce CDP JDBC driver.
  3. Configure Salesforce CDP APIs to allow queries to Salesforce CDP data (egress of data).
  4. Create a Salesforce connected app to handle OAuth delegation from Tableau Server.
  5. Configure Tableau Server for Salesforce CDP OAuth.
  6. (Optional) Configure site-specific OAuth.

Step 1: Set up the Salesforce CDP connector

  1. Download the latest Salesforce CDP connector (Salesforce_CDP.taco file) from the Tableau Exchange Connectors site.
  2. Move the .taco file to the Tableau connector folder:
  • Windows: C:\Users[Windows User]\Documents\My Tableau Repository\Connectors
  • Linux: /opt/tableau/connectors

Step 2: Install the Salesforce CDP JDBC driver

  1. Download the latest JDBC driver (Salesforce-CDP-jdbc-[version].jar file) from the Salesforce CDP GitHub site: https://github.com/forcedotcom/Salesforce-CDP-jdbc/releases
  2. Move the downloaded Salesforce-CDP-jdbc-[version].jar file to the following location:
  • Windows: C:\Program Files\Tableau\Drivers
  • Linux: /opt/tableau/tableau_driver/jdbc

Step 3: Configure Salesforce CDP APIs

Use the procedure described in Set Up a Connected App in Salesforce Help to configure the Salesforce CDP APIs to enable queries to Salesforce CDP data (egress of data). The procedure describes how to create two custom Salesforce CDP API scopes, cdpquery and cdpprofile.

  1. Log in to Salesforce CDP using the Admin user role for your organization.
  2. Go to Setup, and search for and select OAuth Custom Scopes.
  3. Create two custom scopes named cdpquery and cdpprofile.

Step 4: Create a Salesforce connected app

After creating the Salesforce CDP API scopes, use the following procedure to create a Salesforce connected app to handle OAuth delegation from Tableau Server.

  1. Sign in to your Salesforce CDP account as an admin, click your user name in the upper-right, and then select Setup.

  2. In the left pane, under Apps, select App Manager.

  3. In the Connected Apps section, click New Connected App.

  4. In Basic Information, give your connected app a name (for example, Example.com), tab through the API field so it self-populates in the correct format, and enter a contact email address for the app.

  5. In the API [Enable OAuth Settings] section, select Enable OAuth Settings, and then do the following:

    1. In the new OAuth settings that appear, for Callback URL, type the fully qualified domain name (FQDN) of your Tableau Server, using the https protocol, and append the following text to the URL: /auth/add_oauth_token.

      For example: https://example.com/auth/add_oauth_token

    2. Move the following items from Available OAuth Scopes to Selected OAuth Scopes:

      • Manage user data via APIs (api)
      • Perform requests on your behalf at any time (refresh_token, offline_access)

  6. When finished, click Save.

  7. Go to your App Manager list, navigate to your connected app, click the dropdown arrow, and then select Manage.

  8. Scroll down to OAuth Custom Scopes, select cdpprofile and cdpquery check boxes, and then click Save.

After you save the app, the API (Enable OAuth Settings) section is populated with the following IDs that you'll use to configure Tableau Server in Step 5:

  • Consumer Key
  • Consumer Secret
  • Callback URL

Step 5: Configure Tableau Server for Salesforce CDP OAuth

After the connected app is created in Salesforce and you have the Consumer Key, Consumer Secret, and the Callback URL, you can configure Tableau Server for Salesforce CDP OAuth connections. To get started gather the following information.

  • Consumer Key: The Consumer Key, also known as the client ID in Tableau, is generated from the procedure at the end of Step 4. Use this value for [your_consumer_key] in the following tsm command.
  • Consumer Secret: The Consumer Secret, also known as the client secret in Tableau, is generated from the procedure at the end of Step 4. Use this value for [your_consumer_secret] in the following tsm command.
  • Callback URL: The Callback URL, also know as the redirect URL in Tableau, is you Tableau Server URL https://example.com and "/auth/add_oauth_token" appended to it. Use this value for [your_callback_url] in the following tsm command.
  • Configuration ID: The value for the oauth.config.id parameter you use in the following tsm: customer_360_audience
Use TSM Commands for OAuth Setup

Run the following tsm commands to configure OAuth for Salesforce CDP.

tsm configuration set -k oauth.config.clients -v "[{\"oauth.config.id\":\"customer_360_audience\", \"oauth.config.client_id\":\"[your_consumer_key]\", \"oauth.config.client_secret\":\"[your_consumer_secret]\", \"oauth.config.redirect_uri\":\"[your_callback_url]\"}]" --force-keys

tsm pending-changes apply

Setting multiple connectors

If you have multiple connectors to set, you must include all of them in a single command. For example: 

tsm configuration set -k oauth.config.clients -v "[{\"oauth.config.id\":\"custom_360_audience\", \"oauth.config.client_id\":\"[your_consumer_key]\", \"oauth.config.client_secret\":\"[your_consumer_secret]\", \"oauth.config.redirect_uri\":\"[your_callback_url]\"}, {\"oauth.config.id\":\"dremio\", \"oauth.config.client_id\":\"[your_client_id]\", \"oauth.config.client_secret\":\"[your_client_secret]\", \"oauth.config.redirect_uri\":\"[your_server_url]/auth/add_oauth_token\"}, {\"oauth.config.id\":\"azure_sql_dw\", \"oauth.config.client_id\":\"[your_client_id]\", \"oauth.config.client_secret\":\"[your_client_secret]\", \"oauth.config.redirect_uri\":\"[your_server_url]/auth/add_oauth_token\"}, {\"oauth.config.id\":\"azure_sqldb\", \"oauth.config.client_id\":\"[your_client_id]\", \"oauth.config.client_secret\":\"[your_client_secret]\", \"oauth.config.redirect_uri\":\"[your_server_url]/auth/add_oauth_token\"}]" --force-keys

tsm pending-changes apply

Configure custom OAuth for a site

You can configure custom Salesforce CDP OAuth for a site.

Consider configuring a custom OAuth client to 1) override an OAuth client if configured for the server or 2) enable support for securely connecting to data that requires unique OAuth clients.

When a custom OAuth client is configured, the site-level configuration takes precedence over any server-side configuration and all new OAuth credentials created use the site-level OAuth client by default. No Tableau Server restart is required for the configurations to take effect.

Important: Existing OAuth credentials established before the custom OAuth client is configured are temporarily usable but both server administrators and users must update their saved credentials to help ensure uninterrupted data access.

Step 1: Prepare the OAuth client ID, client secret, and redirect URL

Before you can configure the custom OAuth client, you need the information listed below. After you have this information prepared, you can register the custom OAuth client for the site.

  • OAuth client ID and client secret: First register the OAuth client with the data provider (connector) to retrieve the client ID and secret generated for Tableau Server.

  • Redirect URL: Note the correct redirect URL. You will need this during the registration process in Step 2 below.

    https://<your_server_name>.com/auth/add_oauth_token

    For example, https://example.com/auth/add_oauth_token

Step 2: Register the OAuth client ID and client secret

Follow the procedure described below to register the custom OAuth client to the site.

  1. Sign in to your Tableau Server site using your admin credentials and navigate to the Settings page.

  2. Under OAuth Clients Registry, click the Add OAuth Client button.

  3. Enter the required information, including the information from Step 1 above:

    1. For Connection Type, select the connector whose custom OAuth client you want to configure.

    2. For Client ID, Client Secret, and Redirect URL, enter the information you prepared in Step 1 above.

    3. Click the Add OAuth Client button to complete the registration process.

  4. (Optional) Repeat step 3 for all supported connectors.

  5. Click the Save button at the bottom or top of the Settings page to save changes.

Step 3: Validate and update saved credentials

To help ensure uninterrupted data access, you (and your site users) must delete the previous saved credentials and add it again to use the custom OAuth client for the site.

  1. Navigate to your My Account Settings page.

  2. Under Saved Credentials for Data Sources, do the following:

    1. Click Delete next to the existing saved credentials for the connector whose custom OAuth client you configured in Step 2 above.

    2. Next to connector name, click Add and follow the prompts to 1) connect to the custom OAuth client configured in Step 2 above and 2) save the latest credentials.

Step 4: Notify users to update their saved credentials

Make sure you notify your site users to update their saved credentials for the connector whose custom OAuth client you configured in Step 2 above. Site users can use the procedure described in Update saved credentials to update their saved credentials.

Note: When configuring Salesforce CDP OAuth in Tableau Server, do the following:

  • For client ID, use the Consumer Key generated from the procedure at the end of Step 4.
  • For client secret, use the Consumer Secret generated from the procedure at the end of Step 4.
  • For the redirect URL, use your Tableau Server URL https://example.com and "/auth/add_oauth_token" appended to it.

Consider configuring a custom OAuth client to 1) override an OAuth client if configured for the server or 2) enable support for securely connecting to data that requires unique OAuth clients.

When a custom OAuth client is configured, the site-level configuration takes precedence over any server-side configuration and all new OAuth credentials created use the site-level OAuth client by default. No Tableau Server restart is required for the configurations to take effect.

Important: Existing OAuth credentials established before the custom OAuth client is configured are temporarily usable but both server administrators and users must update their saved credentials to help ensure uninterrupted data access.

Step 1: Prepare the OAuth client ID, client secret, and redirect URL

Before you can configure the custom OAuth client, you need the information listed below. After you have this information prepared, you can register the custom OAuth client for the site.

  • OAuth client ID and client secret: First register the OAuth client with the data provider (connector) to retrieve the client ID and secret generated for Tableau Server.

  • Redirect URL: Note the correct redirect URL. You will need this during the registration process in Step 2 below.

    https://<your_server_name>.com/auth/add_oauth_token

    For example, https://example.com/auth/add_oauth_token

Step 2: Register the OAuth client ID and client secret

Follow the procedure described below to register the custom OAuth client to the site.

  1. Sign in to your Tableau Server site using your admin credentials and navigate to the Settings page.

  2. Under OAuth Clients Registry, click the Add OAuth Client button.

  3. Enter the required information, including the information from Step 1 above:

    1. For Connection Type, select the connector whose custom OAuth client you want to configure.

    2. For Client ID, Client Secret, and Redirect URL, enter the information you prepared in Step 1 above.

    3. Click the Add OAuth Client button to complete the registration process.

  4. (Optional) Repeat step 3 for all supported connectors.

  5. Click the Save button at the bottom or top of the Settings page to save changes.

Step 3: Validate and update saved credentials

To help ensure uninterrupted data access, you (and your site users) must delete the previous saved credentials and add it again to use the custom OAuth client for the site.

  1. Navigate to your My Account Settings page.

  2. Under Saved Credentials for Data Sources, do the following:

    1. Click Delete next to the existing saved credentials for the connector whose custom OAuth client you configured in Step 2 above.

    2. Next to connector name, click Add and follow the prompts to 1) connect to the custom OAuth client configured in Step 2 above and 2) save the latest credentials.

Step 4: Notify users to update their saved credentials

Make sure you notify your site users to update their saved credentials for the connector whose custom OAuth client you configured in Step 2 above. Site users can use the procedure described in Update saved credentials to update their saved credentials.

Forward proxy for OAuth authentication

For more information about setting up a forward proxy with OAuth authentication for Tableau Server (Windows only), see Configure a Forward Proxy for OAuth Authentication(Link opens in a new window) in the Tableau Help.

Thanks for your feedback!