Trying to integrate Tableau Server with Okta? You’ve come to the right place. This post provides instructions on how to supplement the native Tableau Server integration with Okta to fully automate user management from Okta to Tableau Server.
What is Okta?
Okta provides cloud software that helps companies manage and secure user authentication into modern applications, and for developers to build identity controls into applications, website web services, and into devices. It essentially serves as a single point of sign on for many applications in an organization.
What's the problem?
As Okta is becoming the standard for user management and authentication, there is an increased demand to integrate it with Tableau and eliminate the need to manage users in Tableau Server as well. While Tableau Server offers a native integration with SAML providers such as Okta, enabling a Single Sign On experience when users try to authenticate to Tableau, this native integration only covers user authentication and doesn’t include integration of user management.
As of September 2019, automated user management through an external identity provider (such as Okta) is only in development for Tableau Online and not available for Tableau Server.
The goal of this exercise is to automatically provision users in applications such as Tableau Server through central management in IdPs like Okta. In layman’s terms, the idea is that you only create/modify/delete a user in Okta and they are created/modified/deleted in Tableau Server automatically without any manual intervention directly on Tableau Server.
What happens if you don't automate this relationship?
As a Tableau or Okta administrator, you will need to manually create user accounts in both Okta and Tableau individually. You will need to manually verify that the usernames being added in Tableau Server match what was created in Okta exactly. If you manage more than 50-100 users, this can quickly become a tedious exercise and manual reconciliation nightmare. Tableau Server offers a CSV upload feature to help with bulk user management but that option remains manual.
Managing users in an automated fashion improves security and increases your team’s time to do more meaningful and thoughtful work. So what’s first?
Get data from Okta
Assuming the SAML settings in Tableau Server and Okta have already been configured for authentication, we’ll move on to adding and deleting users in Tableau.
Okta has a REST API with many endpoints that can be used to pull Okta groups, users, operations, etc. Thankfully, extra kudos go to Okta for providing an easy Postman Import for their various endpoints, which help those new to their API with a launching point for any API calls.
In this example, you’ll need to pull a list of users using this endpoint: /api/v1/users?
Sample Okta data
{ "id": "5RwwvF63GNDdHtHGq7", "status": "PROVISIONED", "created": "2019-08-01T18:44:36.000Z", "activated": "2019-08-01T18:44:37.000Z", "statusChanged": "2019-08-01T18:44:37.000Z", "lastLogin": null, "lastUpdated": "2019-08-01T18:44:37.000Z", "passwordChanged": null, "profile": { "firstName": "Kimberly", "lastName": "Te", "mobilePhone": null, "secondEmail": null, "login": "kimberly.te@keyrus.ca", "email": "kimberly.te@keyrus.ca" }, "credentials": { "provider": { "type": "OKTA", "name": "OKTA" } }, "_links": { "self": { "href": API LINK } } }, { "id": "5RwwvF63GNDdHtHGq7", "status": "PROVISIONED", "created": "2019-08-11T00:23:46.000Z", "activated": "2019-08-11T00:23:46.000Z", "statusChanged": "2019-08-11T00:23:46.000Z", "lastLogin": null, "lastUpdated": "2019-08-11T00:23:46.000Z", "passwordChanged": null, "profile": { "firstName": "Ariel", "lastName": "Pohoryles", "mobilePhone": null, "secondEmail": null, "login": "ariel.pohoryles@keyrus.ca", "email": "ariel.pohoryles@keyrus.ca" }, "credentials": { "provider": { "type": "OKTA", "name": "OKTA" } }, "_links": { "self": { "href": "https://keyrus.okta.com/api/v1/users/5RwwvF63GNDdHtHGq7"
Add user to Tableau
Now you can leverage the Tableau REST API to automatically add users to Tableau Server. This example is for Tableau Server version 2019.1. With the Tableau Server REST API, you can manage and change Tableau Server resources programmatically, using HTTP.
When you add a user to Tableau Server, their username has to be the same username they use in Okta. In general, email addresses make the most sense. Below is an example of what the POST request would look like.
In the POST request, you will need to define the user’s user name, site role, and authentication setting (optional):
<tsRequest> <user name="kimberly.te@keyrus.ca" siteRole="Viewer"/> </tsRequest>
Row-level security
If you or your organization is mandating row-level security in your Tableau Server setup, chances are that you have an entitlement table that joins to the main data source being used in Tableau. In this case, you can have your script write to the entitlement table and add/modify/delete the users that were identified from Okta.
If this is your first time encountering row-level security with Tableau, there are some useful online resources.
Scheduling
The frequency at which your script needs to run depends on how often users are added/modified/deleted in your Okta environment for Tableau Server.
For a closer to “real-time” version, you can run your script every few minutes but you will need to ensure your script run frequency will not push you over the Okta API rate limits. In addition, if you have row-level security with data extraction in place, you will also need to ensure your data extract updates as quickly as your script executes.
In many other scenarios, running the script once a day before a daily extract refresh in Tableau Server is usually enough.
No time to learn the APIs?
If you’d rather avoid writing the API calls yourself, we can help apply this automated solution in your environment. After a brief chat, Keyrus can immediately start automating your Okta to Tableau integration for seamless user management.