3. KEY TERMS
• Sparkler
• Java-based Tableau extension written, maintained, and supported by Tableau
• Canvas
• Salesforce web framework for rendering content
• Trusted Tickets
• The way Tableau Server authenticates users on sites with embedded vizzes (more info)
• SSO
• Single Sign-On; A system where an user logs in once to a login/identity system and then the user is automatically logged into other connected systems.
• SAML
• Security Assertion Markup Language; A type of security token used by SSO and provided by an IdP. Used for exchanging authentication and authorization
data
• IdP
• Identity Provider; authenticates a user using security tokens ex. (login to Twitter using Facebook acct.)
4. educate . inspire . recognize
SAMPLE DISCOVERY QUESTIONS
• Describe a day in the life of the people consuming the reports?
• Are there different kinds of profiles (exec / manager / analyst)?
• What kind of decisions are you making from this?
• Are you looking for a simple snapshot reporting tool or an analytics tool that enables you to dig in and answer follow up questions?
• How large of a community will be consuming these visualizations?
• Are you or anyone in your organization using Tableau today?
• Does all the data to support your questions + dashboards come from SFDC or are there other sources (Excel, Databases, datawarehouse, etc.)?
• Do you want to have to upload data from other places on to SFDC?
• Do you have any regional or geographic security requirements?
• Should this be driven from your SFDC login?
• Will the content be consumed on mobile devices and tablets?
• Why are today’s reporting capabilities insufficient?
• Do you have any existing reports built – can you share these?
• What other tools are you exploring?
• Are you interested in learning how we (Tableau) use Tableau on Salesforce?
• What browsers do you support in your environment? (***Sparkler does not work well with Firefox***)
5. CONSIDERATION MATRIXES
Matrixes:
Authentication Matrix
What form of authentication will be possible?
Data Connection Matrix
Should the SFDC native connector be used or replicate to an external DB?
Row Level Security Matrix
How can we handle row level security?
6. AUTHENTICATION MATRIX
Active Directory Local
Authentication
SAML/SSO
Tableau Server On
Premise
Sparkler w/ Trusted
Tickets
Sparkler w/ Trusted
Tickets
If same IDP as
Salesforce, just
Sparkler. No need
for Trusted Tickets
as SFDC and
Tableau use same
authentication
method
Tableau Online
Cloud
N/A Log-In to Tableau
Log-In to Salesforce
If SiteSAML is
enabled Sparkler
NOT needed
7. DATA CONNECTION MATRIX
Topic Native Connection Replication
Timeliness of data
refresh
• Extract only (low/moderate refresh
cycles)
• No date filter; can pull custom objects
• DB replication tools are doing the “extracting”
• Accessing replicated data on a live basis
• Tableau uses DBAmp* to replicate ~4x / hr
Performance for larger
SFDC envt’s
• TDE’s can take hours to build
• Better for larger SFDC environments
• Can also replicate other DB’s here to join
(instead of blending)
API Record Limits
Row security options • Data source filters
• Live connection many options
• Use DB entitlements and/or permissions table
joined to Data Source
• Complex / custom security models (e.g.
manager to view all accounts in their org)
Integrating with other
data sources
• Cross DB Join limitations
• N / A
Pricing • Included in Tableau
• Ranges based on vendor
• Typically about a $2k / yr
8. ROW-LEVEL SECURITY MATRIX
Type How and Where Connection Considerations
Enforced by
DB
• Automated
• Managed in DB
Live only
• SFDC data must be replicated into a
relational source
• Single point to manage permissions
Hybrid
• Automated
• Managed in Data
Server
Live / Extract
• Use a security table in DB, enforce
the WHERE clause in Tableau
Completely
Managed in
Tableau
• Manual
• User filters built +
applied per workbook
Live / Extract
• Not typical for enterprise deployments
Bestpractice
Which records is the user able to see?
10. iFrame
o Easier; less hops =‘s snappier / better user experience with reduced load times
o Embed directly into VisualForce page or with a LWC (Lighting Web Component)
o SAML authentication means you don’t need to use extra steps w/ Canvas/Sparkler
Canvas + Sparkler
o SalesForce Canvas enables you to easily integrate a third-party application in Salesforce. Sparkler
provide a seamless embedding experience w/in Salesforce and Salesforce1 (mobile app) through
o Trusted Authentication – Sparkler integration requires Trusted Authentication to be turned on
11. IFRAME
SFDC Record /
VisualForce Page
Internet Browser
Server
1. Browser
request
2. SFDC renders
page in an
iframe
Browser Traffic
over HTTPS
3. Browser makes
direct Viz request
5. Server responds
to request and
interactivity
4. Server requests
authentication
Authentication Methods
• SAML
• Trusted Tickets
• Kerberos
• AD
• Local*
*Non-SSO
12. SALESFORCE CANVAS + SPARKLER
SFDC Record /
VisualForce Page
Internet Browser
Server
Sparkler
(Apache Tomcat)
1. Browser
request
2. SFDC renders page
in a Canvas iframe
3. SFDC javascript in
browser makes request
4. Trusted Ticket request
5. Trusted Ticket
provided
6. Viz embed-script with
Trusted Ticket returned
7. Browser makes
direct Viz request
8. Server responds
to request and
interactivity
Browser Traffic
over HTTPS
Traffic between
Sparkler and
Tableau Server
(no browser)
13. Salesforce
• Salesforce users must be able to reach Tableau Server and Salesforce at the same time from the same browser. Both must
• Salesforce (not the browser) must be able to communicate with the on-premises Sparkler adapter over HTTPS
Tableau Server
• Automatic sign-in is not enabled
• SSL is enabled. A commercial x.509 SSL certificate is highly recommended
• Trusted authentication is configured on the server. (If you are working with Tableau Online, as an alternative you can use
with SAML in the manual provided w/ the Sparkler download)
On-premises Sparkler adapter
• Java 8 or later is installed
• Sparkler Canvas On-Premises Deployment 7
• Tomcat 7 or later is installed
• SSL is enabled. A commercial x.509 SSL certificate is highly recommended
• The OpenSSL utility is installed. This is required on Windows in order to create RSA keys.
• A static IP is configured for the adapter. This is required for trusted authentication
• The Sparkler adapter must be able to communicate with Tableau Server over HTTPS.
CANVAS / SPARKLER PRE-REQS
14. SFDC INTEGRATION USING SPARKLER/CANVAS
(INTERNET FACING TABLEAU SERVER WITH SPARKLER HOST)
Webserver(Sparkler
host)
ExternalLoad
BalancerInternet DMZ Semi-
Private
Core
Network
Database
SAML
IDP
ReverseProxy
SFDC
Embedding via
Sparkler/Canvas
15. REVERSE PROXY SERVER
+ Second layer of defense
+ Routes traffic from external network to internal network
+ Shields identity of internal servers
Tableau
Server with or
without SSL
enabled
Client
This can even be the Tableau
Server itself
Apache Reverse Proxy Server
The reverse proxy is bound to the Tableau Server specified in the
configuration file
1 4
2
3
Client makes
request to
proxy server on
Port that
server is
Listening to
(443 if SSL)
Tableau Server
handles request per the
initiating request. If the
request was HTTPS
then it is secure. If the
request was HTTP then
it is open.
Tableau Server returns
data normally
Tableau Server data
shown but data
appears to have
originated from
Reverse Proxy Server
Default Listen Port
(normally 80)
Virtual Host Listening on
specified port (443 if SSL)
Virtual Path translated to
target URL path
Virtual Path translated to
target URL path
If SSL is enabled,
connection data is read
from SSL certificates
17. FAQS
• How can customers embedding Tableau into Salesforce authenticate?
Tableau Server:
• Single Sign-On using SAML (without Sparkler)
• Customer must use a SAML Identity Provider, and both Tableau Server and Salesforce must both be configured to use
the same SAML Identity Provider
• Customer does not use Sparkler. Vizzes are embedded directly into VisualForce pages
• Sparkler/Salesforce Canvas (with Trusted Tickets)
• Customer configures Sparkler, Salesforce and Tableau Server as a standard Sparkler installation per Sparkler
documentation.
• Tableau Server authentication using Kerberos
• User separately logs into Salesforce. If configured correctly, customer does not use SSO, but rather, the login to Tableau
Server is transparent and handled by Windows. May not work on Macs, depending on configuration.
Tableau Online:
• • Single Sign-On using SAML (without Sparkler)
• Customer must use a SAML Identity Provider, and both Tableau Server and Salesforce must both be configured to use
the same SAML Identity Provider
• Vizzes are embedded directly into VisualForce pages.
Manual Login:
• Tableau Server and Tableau Online generate embed codes that can be placed into iFrames on the web. Users enter their Tableau credentials manually
each time to access the viz.
18. FAQS
What is Sparkler and what is Canvas?
• Sparkler is a Tableau extension written, maintained and supported by Tableau. Sparkler uses the Salesforce Canvas
web framework for rendering content in Salesforce. Sparkler essentially manages the handoff between Tableau
Server and Salesforce using Trusted Tickets. Sparkler only works with Tableau Server since Tableau Online does not
support Trusted Tickets.
• Salesforce Canvas is a web framework that lets you integrate 3rd-party applications (like Tableau) into Salesforce. It
is run in the browser and managed by Salesforce; it is not part of Sparkler itself
19. FAQS
Is SAML supported for Tableau Server?
• Yes! Users must use SAML support in Tableau Server; Tableau Server and Salesforce must be configured to use the
same SAML Identity Provider.
Is Active Directory a supported authentication method?
• If Tableau Server is configured to authenticate using Active Directory then Sparkler will work fine
• Some SAML Identity Providers support Active Directory
• OneLogin is an example of a SAML Identity Provider product that is:
• Used by Tableau internally
• Supports Active Directory
• Is relatively easy to configure (compared to many other SAML identity providers).
20. FAQS
Does Tableau support Sparkler?
• Yes! Tableau User Support provides configuration and debugging support for Sparkler. Additionally, ProServ is
trained to implement Sparkler, even in difficult network environments. Basic support is based on the PDF
documentation provided with the Sparkler installation.
How is row level and user security enforced in SFDC?
• The views loaded in SFDC using either Sparkler/Canvas or SSO are based on the user’s credentials. Workbooks and
data sources designed with the proper filters will display data specific to the authenticated user
21. FAQS
Why does Sparkler load vizzes in iFrames? Is there another way?
• iFrames are an integral part of the Salesforce Canvas web framework and are required to use Sparkler
What browsers are supported in the Sparkler/Canvas solution?
• Sparkler/Canvas works with most browsers EXCEPT Firefox. The SSO implementation works fine with all common browsers,
including Firefox
Can we use Sparkler with Amazon Web Services or other cloud hosting, what about Salesforce Heroku?
• Absolutely. Deploying Sparkler on an AWS EC2 instance running standard Linux is straightforward
• Heroku is not officially supported, visit the customer forums for more info the SF Champions Team
22. FAQS
Tableau Server is behind a firewall. Can we use Sparkler to get around this?
• In short, Sparkler itself won’t solve this problem as you cannot route/proxy Tableau Server traffic though Sparkler.
Sparkler is not a networking solution. It is an embedding solution. Networking needs to be resolved before
embedding can take place.
Will Sparkler work for my customer's specific network configuration?
• It depends. In short, the end user’s browser must be able to connect to Salesforce, Sparkler and Tableau Server
directly. Proxies may be required. Additionally, if the customer’s browser cannot communicate with Tableau Server
and SFDC at the same time – no embedding scenario will work.
23. FAQS
My customer’s field users can’t get to Tableau Server without a VPN connection. Can we use Sparkler to fix this?
• The end users browser must be able to communicate directly with Tableau Server. VPNs, and proxies are possible
solutions. Some customers may want to set up a different Tableau Server for field users outside of their network,
such as using AWS.
Is there any documentation about debugging Sparkler configurations and networking issues? Can Tableau help?
Yes! The Sparkler distribution zip file includes a PDF document. The Appendix provides a considerable amount of
information regarding configuring and debugging Sparkler setup and network issues.
24. FAQS
Can Tableau help with implementing Salesforce and Sparkler?
• Yes! Engaging Tableau Professional Services is highly recommended for Sparkler deployments. The team bills at the standard
services rate.
I have problems with my embedded vizzes. What’s wrong? Where do I get help?
• The first step is to determine if this issue is a Sparkler issue or not. Sparkler connectivity can be tested a number of ways as
described in the Sparkler PDF appendices. If the viz renders some of the time, it is probably not a Sparkler issue, as once the
page had loaded, Sparkler’s job is done. If there are problems with the actual embedding of vizzes in Salesforce pages, these
should be treated the same as standard, Tableau supported viz embedding feature of Tableau Server, and should be
supported as such.
• Because every customer’s environment is different, these implementations can be tricky. We recommend engaging Tableau
Professional Services for customers that want to deploy Sparkler.
26. RESOURCES
• Native Connector
• Salesforce & Tableau: Better Together (Video)
• Embedding sales analytics with Salesforce Canvas
• Salesforce Canvas Adapter for Tableau
• How to Pull Tableau Dashboards into Your Salesforce Environment (Interworks)
• SFDC Developer Documentation:
• Bulk API Limitations
Editor's Notes
First option – explain that it needs to be a replicated DB
Note: Browser must be able to communicate with both Salesforce and Tableau Server directly. This diagram does not include any network details including firewalls or load balancers.
Can pass variables / parameters in URLs
Note: Browser must be able to communicate with both Salesforce and Tableau Server directly. This diagram does not include any network details including firewalls or load balancers.
Note: Sparkler/Canvas does not work with Firefox. The SSO implementation works fine with all common browsers, including Firefox.
This architecture would be used for setting up Salesforce integration with Tableau Server (embedding Dashboards and Vizs in SFDC via Sparkler/Canvas)
A reverse proxy is a server that sits “in front” of the Tableau Server (or maybe multiple servers). It receives requests from clients for network resources and forwards them on to the desired location – presumably one of the Tableau Servers (a destination server) or possibly another proxy. Unlike a forward proxy, a reverse proxy does not require any client side configuration and all network requests are handled transparently by the reverse proxy.
Tableau will work with a proxy server as long as they are not doing context switching (www.domain.com/tableau = NOT OKAY vs. www.tableau.domain.com = OK)
The proxy server & DMZ setup may be an alternative to VPN
---------------------------------------------
Why use a reverse proxy?
Add an extra layer of security to Internet and DMZ facing services
A proxy can be useful in allowing requests to be made to the Tableau Servers without having to make the IP of the server, itself, visible to users. Proxy servers are different from NAT in that NAT is transparent to the source and to destination computers. Neither one realizes that it is dealing with a third device. A proxy server is not transparent. In a reverse proxy, the client thinks it is making a request to the target server and deals with it directly. Target server knows it is sending a response to the proxy server and must be configured to do so. Because proxy servers work at layer 4 (transport) of the OSI Reference Model or higher, while NAT is at a layer 3 (network) protocol, proxy servers are usually slower than NAT devices.
It can also be useful, as a load balancing mechanism, enabling multiple Tableau Servers to share work, while still allowing a user to direct his requests to a single address.
It allows you to stream content from internal network services to Internet users without having to store that content in the DMZ (this can be important for organizations that are subject to PCI, HIPAA, SOX or other requirements).
And it can also add high availability to mission critical network services.
------------------------------------------------------------------------------------------------------------------------------------------
How does a reverse proxy work?
A client initiates a connection to the target reverse proxy service
This can be any network service you designate such as FTP/S, HTTP/S, SFTP, or SSH
The reverse proxy accepts the connection on behalf of the client to the destination service
At this point the network output stream to the client is piped by the reverse proxy to the destination server and vice versa
This creates a completely transparent between the client and the destination service
------------------------------------------------------------------------------------------------------------------------------------------
A reverse proxy server, like a proxy server is an intermediary, but is used the other way around. Instead of providing a service to internal users wanting to access an internal network, it provides indirect access for an external network (usually the Internet) to internal resources. This is an extra layer of security, which is particularly recommended when internal resources need to be accessed from the outside. Usually a reverse proxy mechanism is provided by using an application layer firewall as they focus on the specific shape of the traffic rather than controlling access to specific TCP and UDP ports as a packet filter firewall does.
------------------------------------------------------------------------------------------------------------------------------------------
A reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client as thought they originated from the server itself. While a forward proxy acts as an intermediary for its (usually nearby) associated client(s) and returns to them resources accessible on the Internet, a reverse proxy acts as an intermediary for its (usually nearby) associated server(s) and only returns resources provided by those associated server(s).
Reverse proxies can hide the existence and characteristics of the origin server(s).
The proxy server is the only IP allowed to talk to Tableau Server inside/through the firewall.
------------------------------------------------------------------------------------------------------------------------------------------
Customers often use reverse proxy servers to obfuscate where things are coming from, to simplify things for end users, or allow more flexibility for disaster recovery (e.g. if one cluster goes down, a reverse proxy can redirect traffic to another cluster).
Tableau Server works well with proxy servers as long as they are not doing context switching. For example tableau.com/domain versus domain.com/tableau
-------------------------------------------------------------------------------------------------------------------------------------------
A proxy server may act as a firewall by responding to input packets (connection requests for example) in the manner of an application, while blocking other packets. A proxy server is a gateway from one network to another for a specific network application, in the sense that it functions as a proxy on behalf of the network user.