Configure Databricks sign-on from Tableau Server

This article describes how to configure Databricks sign-on from Tableau Server. After you complete this one-time configuration as a Databricks account admin, users can connect from Tableau Server using SSO authentication.

The steps in this article aren't needed for Tableau Desktop and Tableau Cloud, which are enabled as OAuth applications in your Databricks account by default.

You can configure Tableau login with SSO using OIDC and SAML. See Configure Tableau and Power BI OAuth with SAML SSO. OAuth tokens for Tableau expire after 90 days. To override this policy, see Override the default token lifetime policy for Tableau Cloud or Tableau Server.

This article is specific to custom Tableau Server OAuth application creation. For generic custom OAuth application creation steps, see the following:

• Enable custom OAuth applications using the Databricks UI

• Enable custom OAuth applications using the CLI

Before you begin

Before you configure Databricks sign-on from Tableau Server:

• You must be a Databricks account administrator.
• Install the Databricks CLI and set up authentication between the Databricks CLI and your Databricks account.

• (Optional) To use a custom identity provider (IdP) for Tableau OAuth login, see Configure SSO in Databricks.

You must also meet the following Tableau requirements:

• You have a Tableau Server installation with one of the following versions:
  • 2021.4.13 or above
  • 2022.1.9 or above
  • 2022.3.1 or above
• You're a Tableau Server administrator.

Add Tableau Server as an OAuth application using the Databricks UI

To add Tableau Server as an OAuth application using the Databricks UI, do the following:

1. Log in to the account console and click the Settings icon in the sidebar.

2. On the App connections tab, click Add connection.

3. Enter the following details:

   1. A name for your connection.

   2. The redirect URLs for your OAuth connection.

   3. Access scopes determines the APIs Tableau Server should have access to.

      • The SQL scope is required to allow Tableau to access Databricks SQL APIs.
      • The ALL APIs scope allows Tableau Server to access Databricks APIs for purposes other than querying.

      The following scopes are automatically allowed:

      • openid, email, profile: Required to generate the ID token.
      • offline_access: Required to generate refresh tokens.

      If you don't want to allow these scopes for Tableau Server, you can manage fine-grained scopes by using the POST /api/2.0/accounts/{account_id}/oauth2/custom-app-integrations API to create your custom application.

   4. Whether to generate a client secret. This is required for non-public (confidential) clients.

      The Connection created dialog box displays your connection's client ID and the client secret, if applicable.

   5. The access token time-to-live (TTL) in minutes. Default: 60.

   6. The refresh token time-to-live (TTL) in minutes. Default: 10080.

4. Click Add.

5. If you selected Generate a client secret, copy and securely store the client secret. You can't retrieve the client secret later.

You can edit the redirect URL, token TTL, and refresh token TTL in the UI by clicking the application name on the Settings > App connections page in the account console. You can also view your existing published OAuth applications in the UI.

Alternative: Add Tableau Server as an OAuth application using the Databricks CLI

To add Tableau Server as an OAuth application to your Databricks account using the Databricks CLI, do the following:

1. Locate your account ID.

2. Locate your Tableau Server URL.

3. Run the following command:

   databricks account custom-app-integration create --confidential --json '{"name":"<name>", "redirect_urls":["<redirect-url>"], "scopes":["all-apis", "offline_access", "openid", "profile", "email"]}'
   • Replace <name> with a name for your custom OAuth application.
   • For <redirect-url>, append /auth/add_oauth_token to your Tableau Server URL. For example, https://example.tableauserver.com/auth/add_oauth_token.

   For more information about supported values, see POST /api/2.0/accounts/{account_id}/oauth2/custom-app-integrations in the REST API reference.

   A client ID and a client secret are generated, and the following output is returned:

   {"integration_id":"<integration-id>","client_id":"<client-id>","client_secret":"<client-secret>"}
   note

   Enabling an OAuth application can take 30 minutes to process.

4. Securely store the client secret.

   important

   You can't retrieve the client secret later.

Configure OAuth in Tableau Server

To configure OAuth in Tableau Server, do the following:

1. Sign in to Tableau Server as a server administrator.
2. In the sidebar, click Settings > OAuth Client Registry > Add OAuth client.
3. For Connection Type, select Databricks.
4. For Client ID, enter the client ID that was generated in Alternative: Add Tableau Server as an OAuth application using the Databricks CLI.
5. For Client Secret, enter the client secret that was generated in Alternative: Add Tableau Server as an OAuth application using the Databricks CLI.
6. For Redirect URL, enter the redirect URL from Alternative: Add Tableau Server as an OAuth application using the Databricks CLI.
7. Click Add OAuth client.

Troubleshoot OAuth configuration

This section describes how to resolve common issues with OAuth configuration.

404 error from your IdP

Issue: When you try to authenticate to Tableau Server, you see a 404 error.

Cause: OAuth is misconfigured.

Solution: Ensure that you have correctly configured OAuth.

Next steps

Users can now use SSO to authenticate to Databricks from Tableau Server. See Connect Tableau and Databricks.