It turns out that usage based embedded tableau reports (the kind where you create an SSO token for no specific user) do not work with Safari on Mac or iOS. Why? Because when the Tableau SDK signs in with your single use token, the response contains a session cookie; and, since the browser is receving this from a domain that is not the same as the page you're on, Safari assumes this is an advertiser attempting to track you, and drops the cookie.
To work around this limitation, you need to make Tableau match the domain of your web app. I've seen a few examples out there like deploying an nginx container, or writing a custom app controller, etc. My solution was to make a simple load balancer in Google Cloud that would proxy all traffic to a Tableau endpoint--and it works really well.
Attached is the pulumi code I used for this. If you're following in my footsteps, this should work out of the box after updating the code to use your own domain. Also, if you're like me, and allow cus