Summary

Going for an advanced configuration allows you to better integrate Write-Back on your infrastructure. The side effect is that you have more dependencies beyond just installing Write-Back on its own. This page allows you to be prepared for that and gather in advance what might be required.

Deciding what best suits your environment

The main decisions you have to make before starting an advanced installation are:

What type of authentication would you like to use on Write-Back?
- Write-Back supports multiple types of SSO with SAML, OpenID and Kerberos which allows the users to be automatically authenticated without having to type in credentials.
- Write-Back also supports username and password login with Active Directory/LDAP and Tableau Server API as options.
What database do you want to use?
- You can either use the internal PostgreSQL or store the datasets on an existing database of your choice. The list of supported technologies is available on the bottom of the Overview page.
- Setting up Write-Back to use your database can increase performance when joining with existing data.
Besides this decision please bear in mind that Write-Back requires a secure connection meaning you will need a valid SSL certificate for the server domain / ip.

Preparing the Installation

For a complete production deployment, we tailored the following list with what is needed:

A server
- This server must comply with the pre-requisites.

We heavily recommend differentiating the machines where you run your database instance and the machine where the extension (server) will be as well as not installing Write-Back in the same server as Tableau. When installing on a specific server this should have a fixed ip allowing easier remote access.

A database
- You can choose from any of the supported technologies.

We recommend creating a separate schema and database user specifically for Write-Back. This user will need privileges to create and manage tables hence it should be only used for this purpose. A read-only database user should also be created and used on Tableau to connect to this data source.

The connection properties for the database where the data will be written are described here. We also have a few suggestions there, when creating the user.
- Host and Port:
- Schema:
- User:
- Password:
- Driver:

When configuring Write-Back connection to the database, ideally SSL should be activated to ensure an encrypted channel.

Network and Communications
- Domain:
  - To make it easier to access you might want the extension to run under a domain and not an IP address. This can be similar to your Tableau Server domain (URL), for instance, if you have https://tableau.mycompany.com/ we can have https://writeback.apps.xpand-it.com/
- SSL certificate:
  - We need to configure the domain with HTTPs in order for the extension to run due to Tableau extension usage policy. This SSL certificate must match the extension domain or IP (fully qualified name).
  - We recommend a PKCS12 certificate with private key (.p12 or .pfx). Besides the certificate, we also need the password used to create it.
    - The recommended type is PFX/PKCS12 as it is the most common among enterprise deployments and easiest to set up in Write-Back.
      - The password for this certificate is also necessary
- Database Access:
  - the server where the extension runs needs to be able to communicate to the machine where the database is. Please ensure your network settings allow this communication.
- Proxy
  - If you are using a reverse proxy it should be configured accordingly to direct traffic to the extension endpoint.

If the Write-Back server is exposed to the internet it is highly recommended that a firewall and a reverse proxy are setup ensuring all communication are done through there.

Authentication
- Methods (depending on the chosen method)
  - SSO
    - For authentication with SAML
      - Guide here
    - For authentication with OpenID
      - Guide here
    - For authentication with Kerberos (we have a small setup guide), we need the following information
      - Properties
        Service Principal:
        A keytab for that principal:
        AD Domain:
        AD Server:
        LDAP search base, where the users can be located:
      - Validation:
        In order to validate that the Service Principle is correctly configured please execute the commands on the linked guide above.
        Did you get it to work?
  - Normal
    - For authentication with Active Directory, we need similar information:
      - AD domain:
      - AD server:
      - LDAP search base:
      - LDAP search filter:
    - For authentication with Tableau Server through the authentication api, we just need the URL where it is running
      - Tableau Server URL:
- To test authentication
  - Provide Tableau test user credentials so we can test the extension

Authentication methods that provide Single Sign On (SSO) are highly recommend, these will provide the best user experience and through the Identity Provider enable to establish more comprehensive policies including for instance Multi-factor Authentication (MFA)