Update 03/31/2014: Tableau has released a Salesforce canvas solution, which consists of excellent documentation and example workbooks. Check out their blog post:
http://www.tableausoftware.com/about/blog/2014/3/now-available-salesforce-canvas-documentation-embedding-tableau-29499
Or download the zip file here
original post:
I wrote this up recently and I didn't want anyone else to have to slog through it... so enjoy!
Primer on Integration of the Tableau
Platform with Salesforce
This document is broken out by “task”. Refer to each type of desired
solution on the remaining pages.
Tasks:
- Get access to and analyze Salesforce data with offline/on-premise hardware using Tableau Desktop or Tableau Server.
- Get access to and analyze Salesforce data online/in the cloud using Tableau Desktop or Tableau Server.
- Provide row-level security for Salesforce data when using Tableau Desktop or Tableau Server (example: sales reps seeing only their relevant information)
- Provide URL links from a Tableau dashboard to relevant Salesforce information.
- Embed a Tableau dashboard into the Salesforce web interface. (example: when looking at an account in Salesforce, there is a Tableau dashboard embedded into the account view showing details for that account)
- Integrate Salesforce authentication with Tableau Server authentication when all users are behind a firewall using Active Directory. Desired behavior is that end users only have to log into a web application once.
- Integrate Salesforce authentication with Tableau Server authentication when users are outside a firewall and not using Active Directory. Desired behavior is that end users only have to log into a web application once.
- Encryption technologies. Ensure that Tableau Server is running with SSL enabled.
1 – Get
access to and analyze Salesforce data with offline/on-premise hardware using
Tableau Desktop or Tableau Server.
In this initial example, we want
to pull Salesforce data out of the cloud and into an on-premise data warehouse.
This can be achieved using a third party tool such as www.dbamp.com:
Pros
|
Cons
|
Provides an easy, automated method of aggregating
Salesforce data offline for analytics
|
Requires on-premise hardware and local installation of
SQL Server.
|
Allows integration with other local systems inside the
corporate network
|
Requires configuration and setup and ongoing DB
maintenance.
|
All standard and custom Salesforce objects are supported.
|
There are other ODBC tools out
there as well. The same basic concept applies: using a third part ETL process,
you can pull Salesforce objects and data out of Salesforce and into a data
warehouse of your choosing. At this point, the data is available to all users
inside of a corporate network. Tableau Desktop and Tableau Server connect to
this data just like any other supported data source.
2 - Get access to and analyze Salesforce data online/in the cloud using
Tableau Desktop or Tableau Server.
In this example, we want to pull
Salesforce data out of the Salesforce cloud and put it into Tableau Server
directly. For this connection type, we recommend Tableau’s Salesforce
connector:
In this mode, Tableau will use
the Salesforce API and perform a query and retrieval of data from Salesforce. Tableau
Desktop will automatically extract the data using our fast in-memory data
engine:
This type of connection will work
anywhere, anytime. As long as Tableau Desktop and Tableau Server have access to
Salesforce, you can use the built-in live connector to retrieve Salesforce
information.
Once extracted, you can perform
incremental updates against the Salesforce object. This is a very efficient way
of maintaining the latest most up-to-date information inside of Tableau Desktop
or Tableau Server:
Furthermore, you can schedule
this extraction using Tableau Server. You will need to embed credentials at the
time you publish the Tableau data connection:
Tableau Server will then
automatically perform incremental refreshes of this data connection:
At this point you have a
continuous and full data analytics experience for Salesforce data; the data
originates in Salesforce and ends up inside of the Tableau Server “Data Server”
and is now available for any new connections, whether in the browser or Tableau
Desktop:
3 - Provide row-level security for Salesforce data when using Tableau
Desktop or Tableau Server. Example: sales reps seeing only their relevant information.
Regardless of the authentication
solution (see later sections), once your users are connected to the Salesforce
data, you may want or require them to see only their data. In the previous
section (2) we connected to Salesforce using Tableau’s native connector. This
connection used the current user at the time of the connection. Tableau does
not currently support a truly “live” connection to Salesforce data because it
would be quite slow and would also utilize the Salesforce API quota extensively
and expensively. Plus, the native Salesforce web user interface already serves
this purpose.
In lieu of a live connection
which would handle per-user security just as if you were logging into
Salesforce directly, Tableau supports row-level security models by identifying
the currently logged-in Tableau Server or Tableau Desktop user and then
comparing this information against actual data. Remember that in section 1 and
2 we already received this data or information. All we need to do now is
compare Tableau users to this information. An example Tableau Server user ID
such as “Adam King”…
…would be matched up against the
accounts that Adam King owns by creating a Tableau calculated field like so:
In the calculation shown above,
the function FULLNAME() returns the full name of the Tableau Server user ID, and
[Owner name] is a Salesforce field on the accounts object.
You can then add this filter to
your views and dashboards. Each user will only see their data at this point.
Further, you can add this filter to the data source directly – it will never be
exposed and will always enforce row-level security across your organization:
This type of configuration can be
for convenience to simply reduce the “data noise” associated with large sales
or services teams – the default for individuals would be to see only their
data, but still browse other people’s data. Or, this configuration can be truly
locked down and secure – the default for individuals is that they would only
see their data with no exceptions. The Tableau platform supports either of
these modes.
4 - Provide URL links from a Tableau dashboard to relevant Salesforce
information.
A common requirement for Tableau
users is to link out from a Tableau dashboard back to the Salesforce web user
interface. This is easily achieved using Tableau “Actions”. The action would
key off of the Salesforce object ID. The destination URL is the standard
Salesforce URL https://na4.salesforce.com/
In Tableau Desktop, you can
design a URL action on any sheet or dashboard. For example, to create an action
which links out to the Salesforce “Lead” object, your action would look like
this:
Once created, this action would
look like the following on a Tableau dashboard:
5 - Embed a Tableau dashboard into the Salesforce web interface. Example:
when looking at an account in Salesforce, there is a Tableau dashboard embedded
into the account view showing details for that account.
In contrast to the previous
example, Tableau customers also want to embed a Tableau dashboard directly into
their Salesforce portal. This is also achieved through the use of URL
manipulation. The URL control is in the opposite
direction from the previous example: Salesforce is controlling a Tableau
dashboard.
Two design choices are required
for this to work. These include: A) Both Salesforce and Tableau Server need to
be accessible to the end users on a network and transport level, and B)
Authentication choices need to be made (see next two sections).
Assuming both A and B are
satisfied, setting up an embedded Tableau visual inside of Salesforce has two
main steps. The first is creating a Salesforce APEX frame – this is usually
done by a Salesforce administrator. The frame code looks like the following:
<apex:page standardController="Account"><apex:iframe src="http://tableauserver/views/SFDC_viz/dashboard?:embed=yes&:tabs=no&AccountID={!Account.Id}" height="340px" width="910px" scrolling="false"/></apex:page>
The Salesforce administrator will
take the following basic steps to create and use this code:
Create
a visualforce page with an iframe to display the viz.
The
standardController is the name of the object that is related to the ID you will
be passing.
The
{!Account.Id} merge field will not work unless the standardController is set
properly on the page.
See
the online visualforce documentation (http://www.salesforce.com/us/developer/docs/pages/index.htm) for details about the
standard component.
The reason this works is that all
published Tableau Server visualizations can “receive” filters on the URL
directly. In the above example, we want to provide an account overview using a
Tableau Visual. We create this dashboard in Tableau Desktop, and Publish to
Tableau Server. This dashboard contains the field “AccountID” somewhere on the
level of detail for the visual. The APEX code invokes the URL and hands in the
current Account ID at run time. This is notated with Salesforce syntax: {!Account.Id}
This is very straight-forward to configure. You can of course design your embedded dashboards to look however you want them to.
This is very straight-forward to configure. You can of course design your embedded dashboards to look however you want them to.
6 - Integrate Salesforce authentication with Tableau Server
authentication when all users are behind a firewall using Active Directory. Desired
behavior is that end users only have to log into a web application once.
This section assumes you also have
section 5 in mind: the ability to embed Tableau visuals directly in Salesforce.
In section 6 and 7, we introduce the two main methods of authentication most
commonly seen by our customers. Both of these methods have as their main
desired behavior the following statement:
“End users should not
have to log in twice, once to the Salesforce system and a second time to
Tableau Server.”
When all users will be accessing
Salesforce from behind a corporate network and firewall, this is fairly
straightforward. Tableau Server should be installed/deployed using “Active
Directory” mode.
End users will still need to log
into Salesforce, but any embedded Tableau visuals or dashboards will pick up the
current identity of the user using the web browsers’ existing credentials. This
is a built-in feature of Tableau Server and achieved with a Microsoft security
mechanism known as “SSPI“)
In section 3 we discussed
row-level security requirements. These would still apply and some considerations
of the data model need to be taken into account:
a) If
we have end users logging into Salesforce with their email address, we will
need some type of data-driven mapping which associates their email address with
their Active Directory Account.
b) Alternatively,
we can retrieve the end users’ “Full Name” which will often match across
multiple systems. The “Full Name” can be retrieved in a Tableau calculated
field with the FULLNAME() function.
c) Lastly,
the Salesforce user ID itself makes an excellent join candidate when creating
robust data-driven security solutions, as this alphanumeric string never
changes over time.
7 - Integrate Salesforce authentication with Tableau Server
authentication when users are outside a firewall and not using Active
Directory. Desired behavior is that end users only have to log into a web
application once.
If active directory is not an option due to network and
remote office considerations, and a single sign-on experience is still a
requirement, then the remaining alternative for Tableau Server is to enable
“Trusted Tickets Authentication”. This is discussed in the online
documentation here.
Tableau’s “trusted tickets” authentication works by
having Tableau Server 100% trust an existing external web application – in this
case Salesforce – this is achieved on an IP address basis.
Because Salesforce cannot present itself to an external
application by IP address, in order to integrate the authentication, Tableau
customers stand up a machine which acts as a proxy between Tableau Server and
Salesforce.
Tableau Server only has to trust this one single proxy
machine. This machine in turn simply acts as a wrapper for the Salesforce apex
frame.
8 – Encryption and SSL.
Because Salesforce has SSL enabled by default, you will
want to enable SSL support for Tableau Server. Otherwise, your end users may
get a warning in their browser about mixed networks – undesirable from an IT
point of view. To enable SSL support, review the
online help here.
Good luck and happing
integrating!!
11 comments:
This is a wonderful list of tips for how to connect to Salesforce.com through Tableau. I am just starting to research about it and having all the issues discussed in one page is great and is very handy. Thank you so much.
This is a good list of "to do's" in maximizing Tableau and SFDC data. Have you tried using the force.com canvas of SFDC and use Tableau in it?
Thanks!
-alvin
Hi Alan
thank you for a v useful link
FYI - regarding task 3 (implement row level security), please note that SFDC support an elaborate record level sharing model (roles, teams, manual sharing and sharing rules) there simply matching the Tableau user name to the SFDC record owner name would not always work.
In those scenarios, I'd recommend using the Tableau desktop client, whereby each user logs in with their SFDC user, as SFDC implements row level security via it's api.
Pro would be supporting the SFDC record level security model in Tableau
Cons would be increase API usage as you mentioned, and potentially additional SFDC license cost (if the customer has prof. edition with no api access)
Hi Alan
one more comment - FYOI - SFDC supports various SSO models (Oauth, SAML etc) out of the box, which should handle tasks 6 & 7 - so you need to either setup an identity provider and have SFDC & Tableau subscribe to it, or you could even use SFDC as the identity provider
Hi Alan,
Thanks for the wonderful post it is really very helpful.
One thing I could not understand is how to use the Active Directory to get salesforce users data.
I am using tableau server on my machine and when I made its authentication using Active Directory it asks me for my domain name and if am giving salesforce domain in that it is not connecting. Cannot understand how to use salesforce's active directory for tableau server authentication.
Thankyou
There's no direct bridge between AD and salesforce. The assumption here is that the browser itself is logged into both salesforce as well as your AD domain. Thus it appears to be a SSO experience. Hope that helps!
Hello,
I am facing problem in point 7. I am not able to generate the ticket. It works fine with normal post request but from Salesforce it gives error everytime.
I am not clear with "Because Salesforce cannot present itself to an external application by IP address, in order to integrate the authentication, Tableau customers stand up a machine which acts as a proxy between Tableau Server and Salesforce.
Tableau Server only has to trust this one single proxy machine. This machine in turn simply acts as a wrapper for the Salesforce apex frame."
Can you please shed more light on this?
Also if someone can explain how to embed Dashboard using Force.com Canvas? Would I need to use Heroku in that case because I am newbie in that.
How to do salesforce single sign on with tableau ? can anyone explain it clearly please.
Please can someone let me know the point 3 in detail please..
Worthful Tableau tutorial. Appreciate a lot for taking up the pain to write such a quality content on Tableau tutorial. Just now I watched this similar Tableau tutorial and I think this will enhance the knowledge of other visitors for sure. Thanks anyway.:-https://www.youtube.com/watch?v=Ny6h82Qy4tA&t=11s
Post a Comment