Monday, March 25, 2013


Tableau Server Integration with Salesforce

Update 03/31/2014: Tableau has released a Salesforce canvas solution, which consists of excellent documentation and example workbooks. Check out their blog post:
http://www.tableausoftware.com/about/blog/2014/3/now-available-salesforce-canvas-documentation-embedding-tableau-29499

Or download the zip file here



original post:

I wrote this up recently and I didn't want anyone else to have to slog through it... so enjoy!



Primer on Integration of the Tableau Platform with Salesforce

This document is broken out by “task”. Refer to each type of desired solution on the remaining pages.

Tasks:
  1. Get access to and analyze Salesforce data with offline/on-premise hardware using Tableau Desktop or Tableau Server.
  2. Get access to and analyze Salesforce data online/in the cloud using Tableau Desktop or Tableau Server.
  3. Provide row-level security for Salesforce data when using Tableau Desktop or Tableau Server (example: sales reps seeing only their relevant information)
  4. Provide URL links from a Tableau dashboard to relevant Salesforce information.
  5. Embed a Tableau dashboard into the Salesforce web interface. (example: when looking at an account in Salesforce, there is a Tableau dashboard embedded into the account view showing details for that account)
  6. Integrate Salesforce authentication with Tableau Server authentication when all users are behind a firewall using Active Directory. Desired behavior is that end users only have to log into a web application once.
  7. Integrate Salesforce authentication with Tableau Server authentication when users are outside a firewall and not using Active Directory. Desired behavior is that end users only have to log into a web application once.
  8. Encryption technologies. Ensure that Tableau Server is running with SSL enabled.



1 – Get access to and analyze Salesforce data with offline/on-premise hardware using Tableau Desktop or Tableau Server.

In this initial example, we want to pull Salesforce data out of the cloud and into an on-premise data warehouse. This can be achieved using a third party tool such as www.dbamp.com:



Pros
Cons
Provides an easy, automated method of aggregating Salesforce data offline for analytics
Requires on-premise hardware and local installation of SQL Server.
Allows integration with other local systems inside the corporate network
Requires configuration and setup and ongoing DB maintenance.
All standard and custom Salesforce objects are supported.



There are other ODBC tools out there as well. The same basic concept applies: using a third part ETL process, you can pull Salesforce objects and data out of Salesforce and into a data warehouse of your choosing. At this point, the data is available to all users inside of a corporate network. Tableau Desktop and Tableau Server connect to this data just like any other supported data source.



2 - Get access to and analyze Salesforce data online/in the cloud using Tableau Desktop or Tableau Server.

In this example, we want to pull Salesforce data out of the Salesforce cloud and put it into Tableau Server directly. For this connection type, we recommend Tableau’s Salesforce connector:



In this mode, Tableau will use the Salesforce API and perform a query and retrieval of data from Salesforce. Tableau Desktop will automatically extract the data using our fast in-memory data engine:




This type of connection will work anywhere, anytime. As long as Tableau Desktop and Tableau Server have access to Salesforce, you can use the built-in live connector to retrieve Salesforce information.

Once extracted, you can perform incremental updates against the Salesforce object. This is a very efficient way of maintaining the latest most up-to-date information inside of Tableau Desktop or Tableau Server:




Furthermore, you can schedule this extraction using Tableau Server. You will need to embed credentials at the time you publish the Tableau data connection:



Tableau Server will then automatically perform incremental refreshes of this data connection:





At this point you have a continuous and full data analytics experience for Salesforce data; the data originates in Salesforce and ends up inside of the Tableau Server “Data Server” and is now available for any new connections, whether in the browser or Tableau Desktop:





3 - Provide row-level security for Salesforce data when using Tableau Desktop or Tableau Server. Example: sales reps seeing only their relevant information.

Regardless of the authentication solution (see later sections), once your users are connected to the Salesforce data, you may want or require them to see only their data. In the previous section (2) we connected to Salesforce using Tableau’s native connector. This connection used the current user at the time of the connection. Tableau does not currently support a truly “live” connection to Salesforce data because it would be quite slow and would also utilize the Salesforce API quota extensively and expensively. Plus, the native Salesforce web user interface already serves this purpose.

In lieu of a live connection which would handle per-user security just as if you were logging into Salesforce directly, Tableau supports row-level security models by identifying the currently logged-in Tableau Server or Tableau Desktop user and then comparing this information against actual data. Remember that in section 1 and 2 we already received this data or information. All we need to do now is compare Tableau users to this information. An example Tableau Server user ID such as “Adam King”…



…would be matched up against the accounts that Adam King owns by creating a Tableau calculated field like so:



In the calculation shown above, the function FULLNAME() returns the full name of the Tableau Server user ID, and [Owner name] is a Salesforce field on the accounts object.

You can then add this filter to your views and dashboards. Each user will only see their data at this point. Further, you can add this filter to the data source directly – it will never be exposed and will always enforce row-level security across your organization:



This type of configuration can be for convenience to simply reduce the “data noise” associated with large sales or services teams – the default for individuals would be to see only their data, but still browse other people’s data. Or, this configuration can be truly locked down and secure – the default for individuals is that they would only see their data with no exceptions. The Tableau platform supports either of these modes.



4 - Provide URL links from a Tableau dashboard to relevant Salesforce information.

A common requirement for Tableau users is to link out from a Tableau dashboard back to the Salesforce web user interface. This is easily achieved using Tableau “Actions”. The action would key off of the Salesforce object ID. The destination URL is the standard Salesforce URL https://na4.salesforce.com/

In Tableau Desktop, you can design a URL action on any sheet or dashboard. For example, to create an action which links out to the Salesforce “Lead” object, your action would look like this:


Once created, this action would look like the following on a Tableau dashboard:





5 - Embed a Tableau dashboard into the Salesforce web interface. Example: when looking at an account in Salesforce, there is a Tableau dashboard embedded into the account view showing details for that account.

In contrast to the previous example, Tableau customers also want to embed a Tableau dashboard directly into their Salesforce portal. This is also achieved through the use of URL manipulation. The URL control is in the opposite direction from the previous example: Salesforce is controlling a Tableau dashboard.

Two design choices are required for this to work. These include: A) Both Salesforce and Tableau Server need to be accessible to the end users on a network and transport level, and B) Authentication choices need to be made (see next two sections).

Assuming both A and B are satisfied, setting up an embedded Tableau visual inside of Salesforce has two main steps. The first is creating a Salesforce APEX frame – this is usually done by a Salesforce administrator. The frame code looks like the following:

<apex:page standardController="Account"><apex:iframe src="http://tableauserver/views/SFDC_viz/dashboard?:embed=yes&:tabs=no&AccountID={!Account.Id}" height="340px" width="910px" scrolling="false"/></apex:page>

The Salesforce administrator will take the following basic steps to create and use this code:

Create a visualforce page with an iframe to display the viz.
The standardController is the name of the object that is related to the ID you will be passing.
The {!Account.Id} merge field will not work unless the standardController is set properly on the page.
See the online visualforce documentation (http://www.salesforce.com/us/developer/docs/pages/index.htm) for details about the standard component.

The reason this works is that all published Tableau Server visualizations can “receive” filters on the URL directly. In the above example, we want to provide an account overview using a Tableau Visual. We create this dashboard in Tableau Desktop, and Publish to Tableau Server. This dashboard contains the field “AccountID” somewhere on the level of detail for the visual. The APEX code invokes the URL and hands in the current Account ID at run time. This is notated with Salesforce syntax: {!Account.Id} 

This is very straight-forward to configure. You can of course design your embedded dashboards to look however you want them to.




6 - Integrate Salesforce authentication with Tableau Server authentication when all users are behind a firewall using Active Directory. Desired behavior is that end users only have to log into a web application once.

This section assumes you also have section 5 in mind: the ability to embed Tableau visuals directly in Salesforce. In section 6 and 7, we introduce the two main methods of authentication most commonly seen by our customers. Both of these methods have as their main desired behavior the following statement:

“End users should not have to log in twice, once to the Salesforce system and a second time to Tableau Server.”

When all users will be accessing Salesforce from behind a corporate network and firewall, this is fairly straightforward. Tableau Server should be installed/deployed using “Active Directory” mode.

End users will still need to log into Salesforce, but any embedded Tableau visuals or dashboards will pick up the current identity of the user using the web browsers’ existing credentials. This is a built-in feature of Tableau Server and achieved with a Microsoft security mechanism known as “SSPI“)

In section 3 we discussed row-level security requirements. These would still apply and some considerations of the data model need to be taken into account:

a) If we have end users logging into Salesforce with their email address, we will need some type of data-driven mapping which associates their email address with their Active Directory Account.
b) Alternatively, we can retrieve the end users’ “Full Name” which will often match across multiple systems. The “Full Name” can be retrieved in a Tableau calculated field with the FULLNAME() function.
c) Lastly, the Salesforce user ID itself makes an excellent join candidate when creating robust data-driven security solutions, as this alphanumeric string never changes over time.



7 - Integrate Salesforce authentication with Tableau Server authentication when users are outside a firewall and not using Active Directory. Desired behavior is that end users only have to log into a web application once.

If active directory is not an option due to network and remote office considerations, and a single sign-on experience is still a requirement, then the remaining alternative for Tableau Server is to enable “Trusted Tickets Authentication”. This is discussed in the online documentation here.

Tableau’s “trusted tickets” authentication works by having Tableau Server 100% trust an existing external web application – in this case Salesforce – this is achieved on an IP address basis.

Because Salesforce cannot present itself to an external application by IP address, in order to integrate the authentication, Tableau customers stand up a machine which acts as a proxy between Tableau Server and Salesforce.

Tableau Server only has to trust this one single proxy machine. This machine in turn simply acts as a wrapper for the Salesforce apex frame.



8 – Encryption and SSL.

Because Salesforce has SSL enabled by default, you will want to enable SSL support for Tableau Server. Otherwise, your end users may get a warning in their browser about mixed networks – undesirable from an IT point of view. To enable SSL support, review the online help here.

Good luck and happing integrating!!












9 comments:

Siraj Sirajudeen said...

This is a wonderful list of tips for how to connect to Salesforce.com through Tableau. I am just starting to research about it and having all the issues discussed in one page is great and is very handy. Thank you so much.

Alvin Ayusa said...

This is a good list of "to do's" in maximizing Tableau and SFDC data. Have you tried using the force.com canvas of SFDC and use Tableau in it?

Thanks!
-alvin

Guy Keshet said...

Hi Alan

thank you for a v useful link

FYI - regarding task 3 (implement row level security), please note that SFDC support an elaborate record level sharing model (roles, teams, manual sharing and sharing rules) there simply matching the Tableau user name to the SFDC record owner name would not always work.

In those scenarios, I'd recommend using the Tableau desktop client, whereby each user logs in with their SFDC user, as SFDC implements row level security via it's api.


Pro would be supporting the SFDC record level security model in Tableau

Cons would be increase API usage as you mentioned, and potentially additional SFDC license cost (if the customer has prof. edition with no api access)

Guy Keshet said...

Hi Alan

one more comment - FYOI - SFDC supports various SSO models (Oauth, SAML etc) out of the box, which should handle tasks 6 & 7 - so you need to either setup an identity provider and have SFDC & Tableau subscribe to it, or you could even use SFDC as the identity provider

Aakash Jain said...

Hi Alan,
Thanks for the wonderful post it is really very helpful.
One thing I could not understand is how to use the Active Directory to get salesforce users data.
I am using tableau server on my machine and when I made its authentication using Active Directory it asks me for my domain name and if am giving salesforce domain in that it is not connecting. Cannot understand how to use salesforce's active directory for tableau server authentication.
Thankyou

northwestcoder said...

There's no direct bridge between AD and salesforce. The assumption here is that the browser itself is logged into both salesforce as well as your AD domain. Thus it appears to be a SSO experience. Hope that helps!

Harshesh said...

Hello,

I am facing problem in point 7. I am not able to generate the ticket. It works fine with normal post request but from Salesforce it gives error everytime.

I am not clear with "Because Salesforce cannot present itself to an external application by IP address, in order to integrate the authentication, Tableau customers stand up a machine which acts as a proxy between Tableau Server and Salesforce.

Tableau Server only has to trust this one single proxy machine. This machine in turn simply acts as a wrapper for the Salesforce apex frame."
Can you please shed more light on this?


Also if someone can explain how to embed Dashboard using Force.com Canvas? Would I need to use Heroku in that case because I am newbie in that.

rajshekar said...

How to do salesforce single sign on with tableau ? can anyone explain it clearly please.

rajshekar said...

Please can someone let me know the point 3 in detail please..