Tableau Server is getting more and more enterprise ready, it includes crucial enterprise functionality like support for SAML IdP and Server REST API. This makes possible to implement non-directly supported features like  LDAP authentication and authorization – even for non active directory based LDAP servers such OpenLDAP. In the following post I will summarize what do you need to setup the standard and supported connection between your Tableau and LDAP infrastructure.

Authentication

Tableau Server support local (internal), SAML, Kerberos and Trusted authentication – but no LDAP out of the box. However, most of the SAML IdPs supports LDAP so by adding an SAML server to your infrastructure you can delegate Tableau Desktop and Tableau Server authentication to your LDAP via SAML IdP. SAML even allows you to design your own login screen as Craig described in his SAML post.

You can download some of the widely used, funny named free/open source SAML Identity providers like:

• shibboleth – https://shibboleth.net/products/identity-provider.html
• glue – http://www.gluu.org/

You can simply follow the vendor documentations on how to setup the Identity providers with LDAP. When you ready just have a look in Tableau’s SAML Configuration guide and proceed with its steps.

That’s it, now you can logon with your LDAP based username-password information to Tableau Server!

Authorization

The next step is to import and synchronize users between LDAP and Tableau Server. I wrote a small utility for this purpose which could replicate users and user group memberships between Tableau Server 9.0+ and any LDAP server. It

• Synchronizes multiple ldap groups with multiple tableau groups on multiple sites using official Tableau Server REST API
• Adds all users to tableau site who are defined in LDAP but not existing in Tableau Server
• Synchronizes each ldap group with the corresponding tableau group (adds, deletes users according to actual LDAPmemberships)
• Sets domain to users to be able to use Active Directory authentication after synchronization (optional)
• can be deployed as single standalone JAR file without any interpreter dependency (with lein uberjar ).

This is very similar what Tableau does with Active Directory groups.

To install the app go to tabsync’s github page: https://github.com/starschema/tabsync and follow the install instruction. You will need java 1.8 and leiningen installed on your local PC.

To begin create a directory called config  in the root of your newly created jar executable, and make sure to place a file called groups.yml  under the same directory. Make sure to follow the formatting pattern:

You should also modify two functions in order to use your own LDAP schema for getting users from a group and their user info.

Function 1: Get detailed user info. Use employeNumber ldap attribute as username, displayName as full name, email as email.

Function 2: Get users from group. First search for group in OU=Groups as CN=group-id, then take the first nine letters from the returned CNs. In case of the return CN starts with character ‘g’ it will recursively go into it and add to the user list (nested LDAP group handling).

Feel free to change these parts according to your LDAP scheme.

Finally, you can run the synchronization tool as:

If you have any questions or suggestion just drop me a line as usual.

• About
• Latest Posts

Tamás Földi

Director of IT Development at Starschema

Decades of experience with data processing and state of the art programming. From nuclear bomb explosion simulation to distributed file systems. ethical hacking, real time stream processing practically I always had a great fun with those geeky ones and zeros.

Latest posts by Tamás Földi (see all)

• Python Experiments in Tableau 1. – Add live currency conversion to Tableau Dashboards using TabPy - January 9, 2018
• HOWTO: Tableau Server Linux in Docker Container - November 2, 2017
• Tableau Filestore Consistency Checker – How Repository Maps to Filestore - August 17, 2017