This topic describes how to connect from Tableau Server to Salesforce Data Cloud through OAuth authentication.

Note: As of February 14, 2023, Customer Data Platform is now called Salesforce Data Cloud. During this transition, you may see references to Customer Data Platform, along with names: Customer Data Cloud, Customer 360 Audiences, and Salesforce CDP. We wish we could magically update the name everywhere, but you can expect to see the previous name in a few places as we evolve.

The steps described in this topic are required to use Salesforce Data Cloud data in Tableau Server.

Step 1: Set up the Salesforce Data Cloud connector

Warning: Before you upgrade to Tableau Desktop version 2021.4 or above, you have to remove the old .taco file to avoid a file conflict.

  1. Download the latest Salesforce CDP connector (Salesforce_CDP.taco file) from the Tableau Exchange Connectors site.
  2. Move the .taco file to the Tableau connector folder:
  • Windows: C:\Users[Windows User]\Documents\My Tableau Repository\Connectors
  • Linux: /opt/tableau/connectors OR /var/opt/tableau_server/data/tabsvc/vizqlserver/Connectors/
  1. Restart Tableau Server.

Step 2: Install the Salesforce Data Cloud JDBC driver

Note: Tableau version 2023.1 for Server is only compatible with JDBC driver version 18 and above.

  1. Download the latest JDBC driver (Salesforce-CDP-jdbc-[version].jar file) from the Salesforce CDP GitHub site: https://github.com/forcedotcom/Salesforce-CDP-jdbc/releases
  2. Move the downloaded Salesforce-CDP-jdbc-[version].jar file to the following location:
  • Windows: C:\Program Files\Tableau\Drivers
  • Linux: /opt/tableau/tableau_driver/jdbc

Step 3: Configure Salesforce Data Cloud APIs

  1. Log in to Salesforce CDP using the Admin user role for your organization.
  2. Go to Setup, and search for and select OAuth Custom Scopes.
  3. Create two custom scopes named cdpquery and cdpprofile.

Step 4: Create a Salesforce connected app

After creating the Customer Data Cloud API scopes, use the following procedure to create a Salesforce connected app to handle OAuth delegation from Tableau Server.

  1. Sign in to your Salesforce CDP account as an admin, click your user name in the upper-right, and then select Setup.

  2. In the left pane, under Apps, select App Manager.

  3. In the Connected Apps section, click New Connected App.

  4. In Basic Information, give your connected app a name (for example, Example.com), tab through the API field so it self-populates in the correct format, and enter a contact email address for the app.

  5. In the API [Enable OAuth Settings] section, select Enable OAuth Settings, and then do the following:

    1. In the new OAuth settings that appear, for Callback URL, type the fully qualified domain name (FQDN) of your Tableau Server, using the https protocol, and append the following text to the URL: /auth/add_oauth_token.

      For example: https://example.com/auth/add_oauth_token

    2. Move the following items from Available OAuth Scopes to Selected OAuth Scopes:

      • Manage user data via APIs (api)
      • Perform requests on your behalf at any time (refresh_token, offline_access)
      • Manage Customer Data Cloud profile data (cdp_profile_api)
      • Perform ANSI SQL queries on Customer Data Platform data (cdp_query_api)

  6. When finished, click Save.

  7. Go to your App Manager list, navigate to your connected app, click the dropdown arrow, and then select Manage.

  8. Scroll down to OAuth Custom Scopes, select cdpprofile and cdpquery check boxes, and then click Save.

After you save the app, the API (Enable OAuth Settings) section is populated with the following IDs that you'll use to configure Tableau Server in Step 5:

  • Consumer Key
  • Consumer Secret
  • Callback URL

    Note: Save your Consumer Key, Secret, and Callback URL for use in Step 5.



Step 5: Configure Tableau Server for the Salesforce Data Cloud and OAuth

After the connected app is created in Salesforce and you have the Consumer Key, Consumer Secret, and the Callback URL, you can configure Tableau Server for Salesforce CDP OAuth connections. To get started gather the following information.

  • Consumer Key: The Consumer Key, also known as the client ID in Tableau, is generated from the procedure at the end of Step 4. Use this value for [your_consumer_key] in the following tsm command.
  • Consumer Secret: The Consumer Secret, also known as the client secret in Tableau, is generated from the procedure at the end of Step 4. Use this value for [your_consumer_secret] in the following tsm command.
  • Callback URL: The Callback URL, also know as the redirect URL in Tableau, is you Tableau Server URL https://example.com and "/auth/add_oauth_token" appended to it. Use this value for [your_callback_url] in the following tsm command.
  • Configuration ID: The value for the oauth.config.id parameter you use in the following tsm: customer_360_audience
Use TSM Commands for OAuth Setup

Run the following tsm commands to configure OAuth for Salesforce CDP.

tsm configuration set -k oauth.config.clients -v "[{\"oauth.config.id\":\"customer_360_audience\", \"oauth.config.client_id\":\"[your_consumer_key]\", \"oauth.config.client_secret\":\"[your_consumer_secret]\", \"oauth.config.redirect_uri\":\"[your_callback_url]\"}]" --force-keys

tsm pending-changes apply

Setting multiple connectors

If you have multiple connectors to set, you must include all of them in a single command. For example: 

tsm configuration set -k oauth.config.clients -v "[{\"oauth.config.id\":\"custom_360_audience\", \"oauth.config.client_id\":\"[your_consumer_key]\", \"oauth.config.client_secret\":\"[your_consumer_secret]\", \"oauth.config.redirect_uri\":\"[your_callback_url]\"}, {\"oauth.config.id\":\"dremio\", \"oauth.config.client_id\":\"[your_client_id]\", \"oauth.config.client_secret\":\"[your_client_secret]\", \"oauth.config.redirect_uri\":\"[your_server_url]/auth/add_oauth_token\"}, {\"oauth.config.id\":\"azure_sql_dw\", \"oauth.config.client_id\":\"[your_client_id]\", \"oauth.config.client_secret\":\"[your_client_secret]\", \"oauth.config.redirect_uri\":\"[your_server_url]/auth/add_oauth_token\"}, {\"oauth.config.id\":\"azure_sqldb\", \"oauth.config.client_id\":\"[your_client_id]\", \"oauth.config.client_secret\":\"[your_client_secret]\", \"oauth.config.redirect_uri\":\"[your_server_url]/auth/add_oauth_token\"}]" --force-keys

tsm pending-changes apply

Configure custom OAuth for a site

You can configure custom Salesforce CDP OAuth for a site.

Consider configuring a custom OAuth client to 1) override an OAuth client if configured for the server or 2) enable support for securely connecting to data that requires unique OAuth clients.

When a custom OAuth client is configured, the site-level configuration takes precedence over any server-side configuration and all new OAuth credentials created use the site-level OAuth client by default. No Tableau Server restart is required for the configurations to take effect.

Important: Existing OAuth credentials established before the custom OAuth client is configured are temporarily usable but both server administrators and users must update their saved credentials to help ensure uninterrupted data access.

Step 1: Prepare the OAuth client ID, client secret, and redirect URL

Before you can configure the custom OAuth client, you need the information listed below. After you have this information prepared, you can register the custom OAuth client for the site.

  • OAuth client ID and client secret: First register the OAuth client with the data provider (connector) to retrieve the client ID and secret generated for Tableau Server.

  • Redirect URL: Note the correct redirect URL. You will need this during the registration process in Step 2 below.

    https://<your_server_name>.com/auth/add_oauth_token

    For example, https://example.com/auth/add_oauth_token

Step 2: Register the OAuth client ID and client secret

Follow the procedure described below to register the custom OAuth client to the site.

  1. Sign in to your Tableau Server site using your admin credentials and navigate to the Settings page.

  2. Under OAuth Clients Registry, click the Add OAuth Client button.

  3. Enter the required information, including the information from Step 1 above:

    1. For Connection Type, select the connector whose custom OAuth client you want to configure.

    2. For Client ID, Client Secret, and Redirect URL, enter the information you prepared in Step 1 above.

    3. Click the Add OAuth Client button to complete the registration process.

  4. (Optional) Repeat step 3 for all supported connectors.

  5. Click the Save button at the bottom or top of the Settings page to save changes.

Step 3: Validate and update saved credentials

To help ensure uninterrupted data access, you (and your site users) must delete the previous saved credentials and add it again to use the custom OAuth client for the site.

  1. Navigate to your My Account Settings page.

  2. Under Saved Credentials for Data Sources, do the following:

    1. Click Delete next to the existing saved credentials for the connector whose custom OAuth client you configured in Step 2 above.

    2. Next to connector name, click Add and follow the prompts to 1) connect to the custom OAuth client configured in Step 2 above and 2) save the latest credentials.

Step 4: Notify users to update their saved credentials

Make sure you notify your site users to update their saved credentials for the connector whose custom OAuth client you configured in Step 2 above. Site users can use the procedure described in Update saved credentials to update their saved credentials.

Note: When configuring Salesforce CDP OAuth in Tableau Server, do the following:

  • For client ID, use the Consumer Key generated from the procedure at the end of Step 4.
  • For client secret, use the Consumer Secret generated from the procedure at the end of Step 4.
  • For the redirect URL, use your Tableau Server URL https://example.com and "/auth/add_oauth_token" appended to it.

Consider configuring a custom OAuth client to 1) override an OAuth client if configured for the server or 2) enable support for securely connecting to data that requires unique OAuth clients.

When a custom OAuth client is configured, the site-level configuration takes precedence over any server-side configuration and all new OAuth credentials created use the site-level OAuth client by default. No Tableau Server restart is required for the configurations to take effect.

Important: Existing OAuth credentials established before the custom OAuth client is configured are temporarily usable but both server administrators and users must update their saved credentials to help ensure uninterrupted data access.

Step 1: Prepare the OAuth client ID, client secret, and redirect URL

Before you can configure the custom OAuth client, you need the information listed below. After you have this information prepared, you can register the custom OAuth client for the site.

  • OAuth client ID and client secret: First register the OAuth client with the data provider (connector) to retrieve the client ID and secret generated for Tableau Server.

  • Redirect URL: Note the correct redirect URL. You will need this during the registration process in Step 2 below.

    https://<your_server_name>.com/auth/add_oauth_token

    For example, https://example.com/auth/add_oauth_token

Step 2: Register the OAuth client ID and client secret

Follow the procedure described below to register the custom OAuth client to the site.

  1. Sign in to your Tableau Server site using your admin credentials and navigate to the Settings page.

  2. Under OAuth Clients Registry, click the Add OAuth Client button.

  3. Enter the required information, including the information from Step 1 above:

    1. For Connection Type, select the connector whose custom OAuth client you want to configure.

    2. For Client ID, Client Secret, and Redirect URL, enter the information you prepared in Step 1 above.

    3. Click the Add OAuth Client button to complete the registration process.

  4. (Optional) Repeat step 3 for all supported connectors.

  5. Click the Save button at the bottom or top of the Settings page to save changes.

Step 3: Validate and update saved credentials

To help ensure uninterrupted data access, you (and your site users) must delete the previous saved credentials and add it again to use the custom OAuth client for the site.

  1. Navigate to your My Account Settings page.

  2. Under Saved Credentials for Data Sources, do the following:

    1. Click Delete next to the existing saved credentials for the connector whose custom OAuth client you configured in Step 2 above.

    2. Next to connector name, click Add and follow the prompts to 1) connect to the custom OAuth client configured in Step 2 above and 2) save the latest credentials.

Step 4: Notify users to update their saved credentials

Make sure you notify your site users to update their saved credentials for the connector whose custom OAuth client you configured in Step 2 above. Site users can use the procedure described in Update saved credentials to update their saved credentials.

Forward proxy for OAuth authentication

For more information about setting up a forward proxy with OAuth authentication for Tableau Server (Windows only), see Configure a Forward Proxy for OAuth Authentication(Link opens in a new window) in the Tableau Help.

See also
Thanks for your feedback!