How to seamlessly integrate analytics into your product with Connected Apps

We have heard from our customers that a secure, seamless, and easy-to-use authentication method is critical to the success of integrating Tableau analytics. Connected Apps, released in Tableau 2021.4, can provide a simple and delightful authentication experience to end users, whether you’re embedding Tableau in your own applications, client web portals, or third-party SaaS platforms implanted in your business.

With Connected Apps, you can set up a direct trust relationship between Tableau and your application server. This enables users who already login to your application to single sign-on (SSO) to Tableau and view the embedded content without being redirected to a third party Identity Provider for in-frame authentication. This works by using a JSON Web Token (JWT)  signed with a shared secret that a site admin (Tableau Online) or server admin (Tableau Server) can manage in specific Connected Apps. 

Unlock seamless SSO for embedded analytics

When including visualizations powered by Tableau in your application, it’s indispensable to our customers to offer a fully integrated experience for end users. This ensures that they can seamlessly access data and analytics without distinguishing Tableau from your product.

Connected Apps makes it easy to achieve single sign-on in this case. For customers with Tableau Online, this is especially exciting, since Trusted Authentication is not an option. It’s also a better authentication method if you are currently using SAML or OpenID Connect and experiencing restrictions, such as in-frame authentication not supported by your Identity Provider, end users prompted with extra clicks to log in, or if you have security concerns related to disabling Clickjack protection. 

Content embedded via Connected Apps can be displayed smoothly to any user who has already authenticated to your application. With the shared secret, Tableau can verify that your application is trusted and creates a valid session for the user.

Enhanced security control with Connected Apps

Connected Apps not only improves the end user experience, but also provides better security controls for admins by allowing them to explicitly define what analytics content can be embedded and where.

Let’s say you run a retail business and you want to share the inventory status to my order management team. I can arrange the dashboards and metrics into the Inventory Insight folder and select the folder when configuring the Connected App. This means the Connected App, when applied for embedding, only allows sharing for the content in the folder.

Since inventory data is for internal use only, you want to make sure the analytics are only accessible through an internal portal for the order management team. I can add the valid portal domains to the Connected App and just like that, you’re able to ensure your data is exposed only under the secured domains approved by your business.

If you’re an application developer constructing the code that generates the authentication token, here’s great news for you—by specifying the scope parameter in the JWT, you can further champion data security by restricting the end user’s access to the right privilege level in the embedding session. In most scenarios, end users need fewer permissions when interacting with embedded visualizations, compared to what they can do when accessing the Tableau interface directly.

Why adopt Connected Apps as early as possible?

Even if you’re using Tableau Server today and things are working fine with Trusted Authentication, we still highly recommend you to switch to Connected Apps. This is because it’s based on modern authentication standards and better protects your site from potential privilege escalations exposed by the old IP allow list-based control. While Trusted Authentication will remain as supported for now, we eventually plan to replace and enhance its functionality with Connected Apps (we will be sure to communicate our timeline once planned).

Another reason to onboard with Connected Apps sooner than later is to prepare for browser changes related to third-party cookies. The in-frame authentication method will not be viable when browsers (like Chrome and Firefox) enforce blocking third-party cookies that are shared across sites—which is required in the Identity Provider redirection in SAML or OpenID Connect. Connected Apps allows you to adapt to these changes since there is no cross-site cookie involved in the flow.

What comes next?

Connected Apps is not only a feature for embedding your analytics, but also a new authentication framework that Tableau plans to continuously invest in, unlocking easier and better integrations with your business. New initiatives on our roadmap for future releases include the capability to authenticate users in your application without pre-provisioning and managing them in Tableau, as well as the capability to include claims and attributes in authentication flow to dynamically define and grant access to users. 

Want to stay informed and participate in feature pilots? Join the pre-release program and you can help shape and improve our product development—we can’t do it without you, so thank you!

Learn more about Connected Apps

Get started with Connected Apps now by checking out these additional resources:

• Take a deep dive with a demo from Tableau Conference: Next Gen Trusted Authentication in Tableau: Introducing Connected Apps!
• Read our Tableau Help article Configure Tableau Connected Apps to Enable SSO for Embedded Content