SF Tableau Integration

1. CUSTOMER SOLUTIONS ALL HANDSSALESFORCE TIGER TEAM
Tableau – Salesforce
Integration
Architecture & Considerations

2. EMBEDDING TABLEAU IN SALESFORCE

3. KEY TERMS
• Sparkler
• Java-based Tableau extension written, maintained, and supported by Tableau
• Canvas
• Salesforce web framework for rendering content
• Trusted Tickets
• The way Tableau Server authenticates users on sites with embedded vizzes (more info)
• SSO
• Single Sign-On; A system where an user logs in once to a login/identity system and then the user is automatically logged into other connected systems.
• SAML
• Security Assertion Markup Language; A type of security token used by SSO and provided by an IdP. Used for exchanging authentication and authorization
data
• IdP
• Identity Provider; authenticates a user using security tokens ex. (login to Twitter using Facebook acct.)

4. educate . inspire . recognize
SAMPLE DISCOVERY QUESTIONS
• Describe a day in the life of the people consuming the reports?
• Are there different kinds of profiles (exec / manager / analyst)?
• What kind of decisions are you making from this?
• Are you looking for a simple snapshot reporting tool or an analytics tool that enables you to dig in and answer follow up questions?
• How large of a community will be consuming these visualizations?
• Are you or anyone in your organization using Tableau today?
• Does all the data to support your questions + dashboards come from SFDC or are there other sources (Excel, Databases, datawarehouse, etc.)?
• Do you want to have to upload data from other places on to SFDC?
• Do you have any regional or geographic security requirements?
• Should this be driven from your SFDC login?
• Will the content be consumed on mobile devices and tablets?
• Why are today’s reporting capabilities insufficient?
• Do you have any existing reports built – can you share these?
• What other tools are you exploring?
• Are you interested in learning how we (Tableau) use Tableau on Salesforce?
• What browsers do you support in your environment? (***Sparkler does not work well with Firefox***)

5. CONSIDERATION MATRIXES
Matrixes:
Authentication Matrix
What form of authentication will be possible?
Data Connection Matrix
Should the SFDC native connector be used or replicate to an external DB?
Row Level Security Matrix
How can we handle row level security?

6. AUTHENTICATION MATRIX
Active Directory Local
Authentication
SAML/SSO
Tableau Server On
Premise
Sparkler w/ Trusted
Tickets
Sparkler w/ Trusted
Tickets
If same IDP as
Salesforce, just
Sparkler. No need
for Trusted Tickets
as SFDC and
Tableau use same
authentication
method
Tableau Online
Cloud
N/A Log-In to Tableau
Log-In to Salesforce
If SiteSAML is
enabled Sparkler
NOT needed

7. DATA CONNECTION MATRIX
Topic Native Connection Replication
Timeliness of data
refresh
• Extract only (low/moderate refresh
cycles)
• No date filter; can pull custom objects
• DB replication tools are doing the “extracting”
• Accessing replicated data on a live basis
• Tableau uses DBAmp* to replicate ~4x / hr
Performance for larger
SFDC envt’s
• TDE’s can take hours to build
• Better for larger SFDC environments
• Can also replicate other DB’s here to join
(instead of blending)
API Record Limits
Row security options • Data source filters
• Live connection  many options
• Use DB entitlements and/or permissions table
joined to Data Source
• Complex / custom security models (e.g.
manager to view all accounts in their org)
Integrating with other
data sources
• Cross DB Join limitations
• N / A
Pricing • Included in Tableau
• Ranges based on vendor
• Typically about a $2k / yr

8. ROW-LEVEL SECURITY MATRIX
Type How and Where Connection Considerations
Enforced by
DB
• Automated
• Managed in DB
Live only
• SFDC data must be replicated into a
relational source
• Single point to manage permissions
Hybrid
• Automated
• Managed in Data
Server
Live / Extract
• Use a security table in DB, enforce
the WHERE clause in Tableau
Completely
Managed in
Tableau
• Manual
• User filters built +
applied per workbook
Live / Extract
• Not typical for enterprise deployments
Bestpractice
Which records is the user able to see?

9. METHODS OF EMBEDDING

10. iFrame
o Easier; less hops =‘s snappier / better user experience with reduced load times
o Embed directly into VisualForce page or with a LWC (Lighting Web Component)
o SAML authentication means you don’t need to use extra steps w/ Canvas/Sparkler
Canvas + Sparkler
o SalesForce Canvas enables you to easily integrate a third-party application in Salesforce. Sparkler
provide a seamless embedding experience w/in Salesforce and Salesforce1 (mobile app) through
o Trusted Authentication – Sparkler integration requires Trusted Authentication to be turned on

11. IFRAME
SFDC Record /
VisualForce Page
Internet Browser
Server
1. Browser
request
2. SFDC renders
page in an
iframe
Browser Traffic
over HTTPS
3. Browser makes
direct Viz request
5. Server responds
to request and
interactivity
4. Server requests
authentication
Authentication Methods
• SAML
• Trusted Tickets
• Kerberos
• AD
• Local*
*Non-SSO

12. SALESFORCE CANVAS + SPARKLER
SFDC Record /
VisualForce Page
Internet Browser
Server
Sparkler
(Apache Tomcat)
1. Browser
request
2. SFDC renders page
in a Canvas iframe
3. SFDC javascript in
browser makes request
4. Trusted Ticket request
5. Trusted Ticket
provided
6. Viz embed-script with
Trusted Ticket returned
7. Browser makes
direct Viz request
8. Server responds
to request and
interactivity
Browser Traffic
over HTTPS
Traffic between
Sparkler and
Tableau Server
(no browser)

13. Salesforce
• Salesforce users must be able to reach Tableau Server and Salesforce at the same time from the same browser. Both must
• Salesforce (not the browser) must be able to communicate with the on-premises Sparkler adapter over HTTPS
Tableau Server
• Automatic sign-in is not enabled
• SSL is enabled. A commercial x.509 SSL certificate is highly recommended
• Trusted authentication is configured on the server. (If you are working with Tableau Online, as an alternative you can use
with SAML in the manual provided w/ the Sparkler download)
On-premises Sparkler adapter
• Java 8 or later is installed
• Sparkler Canvas On-Premises Deployment 7
• Tomcat 7 or later is installed
• SSL is enabled. A commercial x.509 SSL certificate is highly recommended
• The OpenSSL utility is installed. This is required on Windows in order to create RSA keys.
• A static IP is configured for the adapter. This is required for trusted authentication
• The Sparkler adapter must be able to communicate with Tableau Server over HTTPS.
CANVAS / SPARKLER PRE-REQS

14. SFDC INTEGRATION USING SPARKLER/CANVAS
(INTERNET FACING TABLEAU SERVER WITH SPARKLER HOST)
Webserver(Sparkler
host)
ExternalLoad
BalancerInternet DMZ Semi-
Private
Core
Network
Database
SAML
IDP
ReverseProxy
SFDC
Embedding via
Sparkler/Canvas

15. REVERSE PROXY SERVER
+ Second layer of defense
+ Routes traffic from external network to internal network
+ Shields identity of internal servers
Tableau
Server with or
without SSL
enabled
Client
This can even be the Tableau
Server itself
Apache Reverse Proxy Server
The reverse proxy is bound to the Tableau Server specified in the
configuration file
1 4
2
3
Client makes
request to
proxy server on
Port that
server is
Listening to
(443 if SSL)
Tableau Server
handles request per the
initiating request. If the
request was HTTPS
then it is secure. If the
request was HTTP then
it is open.
Tableau Server returns
data normally
Tableau Server data
shown but data
appears to have
originated from
Reverse Proxy Server
Default Listen Port
(normally 80)
Virtual Host Listening on
specified port (443 if SSL)
Virtual Path translated to
target URL path
Virtual Path translated to
target URL path
If SSL is enabled,
connection data is read
from SSL certificates

16. FAQS

17. FAQS
• How can customers embedding Tableau into Salesforce authenticate?
Tableau Server:
• Single Sign-On using SAML (without Sparkler)
• Customer must use a SAML Identity Provider, and both Tableau Server and Salesforce must both be configured to use
the same SAML Identity Provider
• Customer does not use Sparkler. Vizzes are embedded directly into VisualForce pages
• Sparkler/Salesforce Canvas (with Trusted Tickets)
• Customer configures Sparkler, Salesforce and Tableau Server as a standard Sparkler installation per Sparkler
documentation.
• Tableau Server authentication using Kerberos
• User separately logs into Salesforce. If configured correctly, customer does not use SSO, but rather, the login to Tableau
Server is transparent and handled by Windows. May not work on Macs, depending on configuration.
Tableau Online:
• • Single Sign-On using SAML (without Sparkler)
• Customer must use a SAML Identity Provider, and both Tableau Server and Salesforce must both be configured to use
the same SAML Identity Provider
• Vizzes are embedded directly into VisualForce pages.
Manual Login:
• Tableau Server and Tableau Online generate embed codes that can be placed into iFrames on the web. Users enter their Tableau credentials manually
each time to access the viz.

18. FAQS
What is Sparkler and what is Canvas?
• Sparkler is a Tableau extension written, maintained and supported by Tableau. Sparkler uses the Salesforce Canvas
web framework for rendering content in Salesforce. Sparkler essentially manages the handoff between Tableau
Server and Salesforce using Trusted Tickets. Sparkler only works with Tableau Server since Tableau Online does not
support Trusted Tickets.
• Salesforce Canvas is a web framework that lets you integrate 3rd-party applications (like Tableau) into Salesforce. It
is run in the browser and managed by Salesforce; it is not part of Sparkler itself

19. FAQS
Is SAML supported for Tableau Server?
• Yes! Users must use SAML support in Tableau Server; Tableau Server and Salesforce must be configured to use the
same SAML Identity Provider.
Is Active Directory a supported authentication method?
• If Tableau Server is configured to authenticate using Active Directory then Sparkler will work fine
• Some SAML Identity Providers support Active Directory
• OneLogin is an example of a SAML Identity Provider product that is:
• Used by Tableau internally
• Supports Active Directory
• Is relatively easy to configure (compared to many other SAML identity providers).

20. FAQS
Does Tableau support Sparkler?
• Yes! Tableau User Support provides configuration and debugging support for Sparkler. Additionally, ProServ is
trained to implement Sparkler, even in difficult network environments. Basic support is based on the PDF
documentation provided with the Sparkler installation.
How is row level and user security enforced in SFDC?
• The views loaded in SFDC using either Sparkler/Canvas or SSO are based on the user’s credentials. Workbooks and
data sources designed with the proper filters will display data specific to the authenticated user

21. FAQS
Why does Sparkler load vizzes in iFrames? Is there another way?
• iFrames are an integral part of the Salesforce Canvas web framework and are required to use Sparkler
What browsers are supported in the Sparkler/Canvas solution?
• Sparkler/Canvas works with most browsers EXCEPT Firefox. The SSO implementation works fine with all common browsers,
including Firefox
Can we use Sparkler with Amazon Web Services or other cloud hosting, what about Salesforce Heroku?
• Absolutely. Deploying Sparkler on an AWS EC2 instance running standard Linux is straightforward
• Heroku is not officially supported, visit the customer forums for more info the SF Champions Team

22. FAQS
Tableau Server is behind a firewall. Can we use Sparkler to get around this?
• In short, Sparkler itself won’t solve this problem as you cannot route/proxy Tableau Server traffic though Sparkler.
Sparkler is not a networking solution. It is an embedding solution. Networking needs to be resolved before
embedding can take place.
Will Sparkler work for my customer's specific network configuration?
• It depends. In short, the end user’s browser must be able to connect to Salesforce, Sparkler and Tableau Server
directly. Proxies may be required. Additionally, if the customer’s browser cannot communicate with Tableau Server
and SFDC at the same time – no embedding scenario will work.

23. FAQS
My customer’s field users can’t get to Tableau Server without a VPN connection. Can we use Sparkler to fix this?
• The end users browser must be able to communicate directly with Tableau Server. VPNs, and proxies are possible
solutions. Some customers may want to set up a different Tableau Server for field users outside of their network,
such as using AWS.
Is there any documentation about debugging Sparkler configurations and networking issues? Can Tableau help?
Yes! The Sparkler distribution zip file includes a PDF document. The Appendix provides a considerable amount of
information regarding configuring and debugging Sparkler setup and network issues.

24. FAQS
Can Tableau help with implementing Salesforce and Sparkler?
• Yes! Engaging Tableau Professional Services is highly recommended for Sparkler deployments. The team bills at the standard
services rate.
I have problems with my embedded vizzes. What’s wrong? Where do I get help?
• The first step is to determine if this issue is a Sparkler issue or not. Sparkler connectivity can be tested a number of ways as
described in the Sparkler PDF appendices. If the viz renders some of the time, it is probably not a Sparkler issue, as once the
page had loaded, Sparkler’s job is done. If there are problems with the actual embedding of vizzes in Salesforce pages, these
should be treated the same as standard, Tableau supported viz embedding feature of Tableau Server, and should be
supported as such.
• Because every customer’s environment is different, these implementations can be tricky. We recommend engaging Tableau
Professional Services for customers that want to deploy Sparkler.

25. RESOURCES

26. RESOURCES
• Native Connector
• Salesforce & Tableau: Better Together (Video)
• Embedding sales analytics with Salesforce Canvas
• Salesforce Canvas Adapter for Tableau
• How to Pull Tableau Dashboards into Your Salesforce Environment (Interworks)
• SFDC Developer Documentation:
• Bulk API Limitations