I was interested in single sign-on (SSO) services and tried various services for a while.
I wanted to log in with my Office365 user as a key, so I ended up using Azure Active Directory SSO. As for the usage, I mainly use it for Tableau login.
Occurrence of a problem
About a month after I set it up, I started having glimpses of not being able to log in to Tableau.
Specifically, when I try to log in from the Tableau login page, I am immediately returned to the original Tableau login page and cannot log in.
After trying everything, I logged out of Office365 and logged back in to Office365 and it fixed it.
Contact Tableau
I contacted Tableau via the web, as it seemed to be happening elsewhere, and they immediately called me and told me about the following article. Quick!
Reason
When you log in to Office365, a token is issued, which is stored in your browser and reused, eliminating the need to log in again the next time.
However, since there is a security problem if tokens can be used forever, tokens have a fixed expiration date, and when the expiration date expires, the user must log in again to obtain a new token.
The reason we were unable to log in to Tableau this time was because the expiration date of the Tableau token was shorter than the expiration date of the Azure Active Directory token.
In Azure Active Directory, the token was still valid and had not expired, but in Tableau, it had expired and was rejected as an invalid token, preventing login.
Azure Active Directory tokens expire in 90 days, while Tableau tokens expire in 24 days, so this coincides exactly with the time when we started using SSO and began experiencing login failures.
How to deal with it
Azure Active Directory allows you to set a token expiration date for each app you want to SSO, so set the expiration date to the same 24 days as Tableau, so that when the Tableu expires, a re-login occurs, ensure that the token is renewed.
I referred to the following Microsoft document for how to set it up, although there is a link to it in the article you gave us in support.
Here, I will describe the zakkuri method, taking into account the points I got into.
reserve
Installing the PowerShell Module
Unfortunately, setting the token expiration date cannot be done on the Azure Portal, but is done by command using the Azure AD module in PowerShell.
So, first, install "Azure AD PowerShell Module".
Connect to Azure Active Directory
Next, connect to Azure Active Directory from PowerShell. At that time, specify the tenant ID as the Azure Active Directory to connect to.
PS> Connect-AzureAD -TenantId xxxx
The tenant ID can be found in the Azure Active Directory portal under [Properties]-[Directory ID]..
You can now issue commands to Azure Active Directory.
configuration
Before proceeding to the specific steps, a brief explanation of Azure Active Directoy terminology and configuration is in order.
Application and Service Principals
Multiple applications can be created and configured individually for SSO to the same service.
For example, in Tableau, you can have multiple sites, so you can add an app for each site and configure settings for each app you add.
The service that serves as the template for the main body, such as Tableau, is called the "application," and the individually created apps are called "service principals.
The token is then titled not to the "application" but to the added application, i.e., the "service principal".
policy
It is not possible to set the token expiration date directly on the service principal.
Instead, create a policy that defines the token expiration date, Assign that policy to the "service principal" you wish to configure, thereby setting the expiration date of the service principal's token.
procedure
Policy Creation
Set the expiration time value in JSON (24 days in this case) and create a policy with New-AzureADPolicy.
create_policy.ps1
$policy_json = @('{ "TokenLifetimePolicy":{ "Version":1, "MaxInactiveTime":"24.00:00:00", "MaxAgeSingleFactor":"24.00:00:00", "MaxAgeMultiFactor":"24.00:00:00", "MaxAgeSessionSingleFactor":"24.00:00:00", "MaxAgeSessionMultiFactor":"24.00:00:00" } }') $policy_name = 'TableauOnlinePolicy' New-AzureADPolicy ` -Definition $policy_json ` -DisplayName $policy_name ` -IsOrganizationDefault $false ` -Type "TokenLifetimePolicy"
Write and run scripts.
PS> .\create_policy.ps1
policy assignment
Assign the created policy to the service principal with Add-AzureADServicePrincipalPolicy.
The policy and service principal must be specified by ID, so we get the object from the name and the ID from the object, respectively.
attach_policy.ps1
$policy_name = 'TableauOnlinePolicy' $policy = Get-AzureADPolicy | Where-Object { $_.DisplayName -eq $policy_name } $sp = Get-AzureADServicePrincipal | Where-Object { $_.DisplayName -eq "Tableau Online" } Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id
This is all you need to do to set an expiration date for your app, or service principal.
confirmation
To be sure, verify that the policy has been created and assigned to the service principal.
check.ps1
$policy_name = 'TableauOnlinePolicy' $policy = Get-AzureADPolicy | Where-Object { $_.DisplayName -eq $policy_name } Write-Host $policy $sp = Get-AzureADServicePrincipal | Where-Object { $_.DisplayName -eq "Tableau Online" } Write-Host $sp $sp_policy = Get-AzureADServicePrincipalPolicy -Id $sp.ObjectId Write-Host $sp_policy Write-Host $sp_policy.Definition
Policy Deletion
For reference, this section describes how to unassign a service principal's policy assignment and how to delete the policy.
detach_policy.ps1
$policy_name = 'TableauOnlinePolicy' $policy = Get-AzureADPolicy | Where-Object { $_.DisplayName -eq $policy_name } $sp = Get-AzureADServicePrincipal | Where-Object { $_.DisplayName -eq "Tableau Online" } Remove-AzureADServicePrincipalPolicy -PolicyId $policy.Id -Id $sp.ObjectId
delete_policy.ps1
$policy_name = 'TableauOnlinePolicy' $policy = Get-AzureADPolicy | Where-Object { $_.DisplayName -eq $policy_name } Remove-AzureADPolicy -Id ($policy).Id
Impressions, etc.
I thought that when you added the SSO application, the expiration date was set automatically by Goodwill for the service, but it is not.
But if the default expiration date for any application is fixed to 90 days, I wonder if it is safe to use non-Tableau services as well, since it is likely to cause frequent errors that prevent logging in.
I added a few other apps as a test, but none of them seemed to be assigned the appropriate policy for the app.
The fact that the configuration is done in PowerShell instead of Azure CLI is a bit of a rush, and it gives the impression that Microsoft doesn't really want us to touch it, but has no choice but to release it....
I have a feeling that policies will be automatically assigned to each app and detailed settings will be available on the Azure portal in the near future.
