Tableau Server & UAEPASS
Largest telecom regulatory federal entity in the UAE
The client requirement was to unify the authentication of all the applications used in the organization under a single SSO platform called UAEPASS. The users were required to access all the underlying applications using a single username and password with a verification mechanism that used their national identity numbers and no further authentication prompts.
UAE PASS SSO uses an identity provider (iDP) initiated SSO login, where users log in to the UAEPASS integrated login page first, authenticate with their national identity numbers and then click on the Tableau server application icon, wherein they get redirected to see their landing page of their BI dashboards.
Non-native compatibility concerns between Tableau server application with UAEPASS
Tableau server application supported only some of the renowned iDP providers like Okta, OneLogin, PingFederate, SiteMinder, Azure etc. for SSO integration. UAEPASS, being a custom-made unified SSO platform, was not having native compatibility with the Tableau application.
Lack of availability of a “sign-out” option to perform a prerogative sign-out of the Tableau server
The Tableau server application login home page usually consists of an option to perform a complete “sign-out” after the utilization is over. However, after the integration of UAEPASS with the Tableau server, this so-called “sign-out” option was missing. Users were worried, wary of the user and sign-in compromise-risks due to bad actors on the internet, caused by the situation where an application “sign-out” was impossible.
Mapping and passing on user identification assertions to Tableau
Passing on the assertions for authorization between Tableau and UAEPASS iDP was a challenge. Tableau server generates an XML metadata file which had to be uploaded to the UAEPASS iDP. Similarly, XML metadata generated by the UAEPASS iDP had to be uploaded to the Tableau server application. Both these steps were necessary to perform a successful integration between the Tableau server and UAEPASS using the SAML protocol. However, identifying the key assertions and mapping the metadata files between the Tableau server and UAEPASS was next to impossible due to non-native support between the two platforms.
The implementation team responsible first verified the XML metadata files of multiple other iDP’s which are supported by Tableau. This method helped to identify the purpose and the meaning of the contents of the XML metadata on a line-by-line basis. Once this was figured out, the XML metadata returned by the UAEPASS iDP was adopted in tandem with the iDP’s supported by the Tableau server. This way, despite having non-native support, both the applications were customized to get native support between themselves.
Furthermore, the UAEPASS iDP metadata file was modified to include an additional “HTTP-POST” string that served a dual sign-out option when invoked, that means by pressing the “sign-out” option in the Tableau server, a subsequent logout of the UAEPASS application was also carried out automatically. This reduced the risk of any possible imminent sign-in risks to the application functionality.
Users can now seamlessly log into the Tableau server application from the unified UAEPASS platform. The organization was successfully able to configure SSO for the BI users. The breakthroughs achieved as a result of this integration are:
The client was able to establish and manage a centralized and one-stop login mechanism with better governance and control of user logins for the BI software used within the organization.