OpenID Connect Methods
Using the OpenID Connect (OIDC) methods of the Tableau REST API you can:
- Set your Tableau Cloud site to use OIDC authentication to authenticate users
- Configure OIDC authentication when your identity provider (IdP) does not provide a configuration URL (in other words, a URL that ends with
.well-known/openid-configuration
) - Configure client authentication, custom scope, prompt, essential ACR Values, or voluntary ACR values that the Tableau Cloud's OIDC configuration UI does not support
- Configure OIDC authentication when your identity provider (IdP) does not provide a configuration URL (in other words, a URL that ends with
- Get details about the OIDC configuration
- Update your OIDC configuration
- Remove your OIDC configuration
The above functionality relates to OIDC elements described at: OpenID Connect(Link opens in a new window).
Create OpenID Connect Configuration
Create the Tableau Cloud site's OpenID Connect (OIDC) configuration.
After you've configured OIDC authentication, you can use the Tableau Cloud's UI to test the configuration(Link opens in a new window) and add users(Link opens in a new window).
For more information about OIDC authentication in Tableau Cloud, see OpenID Connect(Link opens in a new window) in the Tableau Cloud Help.
Version: Available in API 3.22 (Tableau Cloud February 2024) and later. Not available for Tableau Server.Version Overview(Link opens in a new window)
License: No additional license required.
Permissions: Tableau Cloud site admins only.
JWT Access Scope: Not available. Access Scopes Overview: Cloud(Link opens in a new window)
URI
PUT /api/api-version/sites/site-luid/site-oidc-configuration
URI Parameter Values
api-version | The version of the API to use, such as 3.24 . For more information, see REST API and Resource Versions.
|
site-luid | The LUID for the site. |
Request Body
<tsRequest>
<siteOIDCConfiguration
idpConfigurationName="idpConfigurationName"
enabled="enabled"
clientId="clientId"
clientSecret="clientSecret"
authorizationEndpoint="authorizationEndpoint"
tokenEndpoint="tokenEndpoint"
userinfoEndpoint="userinfoEndpoint"
jwksUri="jwksUri"
endSessionEndpoint="endSessionEndpoint"
allowEmbeddedAuthentication="allowEmbeddedAuthentication"
prompt="prompt"
customScope="customScope"
clientAuthentication="clientAuthentication"
essentialAcrValues="essentialAcrValues"
voluntaryAcrValues="voluntaryAcrValues"
emailMapping="emailMapping"
firstNameMapping="firstNameMapping"
lastNameMapping="lastNameMapping"
fullNameMapping="fullNameMapping"
useFullName="useFullName" />
</tsRequest>
{
"siteOIDCConfiguration": {
"idpConfigurationName": "idpConfigurationName",
"enabled": "enabled",
"clientId": "clientId",
"clientSecret": "clientSecret",
"authorizationEndpoint": "authorizationEndpoint",
"tokenEndpoint": "tokenEndpoint",
"userinfoEndpoint": "userinfoEndpoint",
"jwksUri": "jwksUri",
"endSessionEndpoint": "endSessionEndpoint",
"allowEmbeddedAuthentication": "allowEmbeddedAuthentication",
"prompt":"prompt",
"customScope":"customScope",
"clientAuthentication": "clientAuthentication",
"essentialAcrValues": "essentialAcrValues",
"voluntaryAcrValues": "voluntaryAcrValues",
"emailMapping": "emailMapping",
"firstNameMapping": "firstNameMapping",
"lastNameMapping": "lastNameMapping",
"fullNameMapping": "fullNameMapping",
"useFullName": "useFullName"
}
}
Request Attributes
idpConfigurationName
|
(Required) The name of the configuration. Starting in API 3.24, you can create and enable multiple authentication configurations. For more information, see Authentication(Link opens in a new window) in the Tableau Cloud Help. |
enabled
|
(Required) Controls whether the configuration is enabled or not. Value can be "true" or "false". For example "true". |
clientId
|
(Required) The client ID from your IdP. For example, "0oa111usf1gpUkVUt0h1". |
clientSecret
|
(Required) The client secret from your IdP. |
authorizationEndpoint
|
(Required) Use the authorization endpoint from your IdP. To find the value, enter the configuration URL in a browser and obtain the user information endpoint (authorization_endpoint ) from the details that are returned. For example, "https://myidp.com/oauth2/v1/authorize". |
tokenEndpoint
|
(Required) Use the token endpoint from your IdP. To find the value, enter the configuration URL in a browser and obtain the token endpoint (token_endpoint ) from the details that are returned. For example, "https://myidp.com/oauth2/v1/token". |
userinfoEndpoint
|
(Required) Use the user information endpoint from your IdP. To find the value, enter the configuration URL in a browser and obtain the user information endpoint (userinfo_endpoint ) from the details that are returned. For example, "https://myidp.com/oauth2/v1/userinfo". |
jwksUri
|
(Required) Use the JWK set URI from your IdP. To find the value, enter the configuration URL in a browser and obtain the JWK set URI endpoint (jwks_uri ) from the details that are returned. For example, "https://myidp.com/oauth2/v1/keys". |
endSessionEndpoint
|
(Optional) If single logout (SLO) is enabled for the site, which is done through Tableau Cloud site UI, you can specify the configuration URL or the end session endpoint from your IdP. For example, "https://myidp.com/oauth2/v1/logout". |
allowEmbeddedAuthentication
|
(Optional) Controls how users authenticate when accessing embedded views. Value can be "true" or "false". Default value is "false", which authenticates users in a separate pop-up window. When set to "true", users authenticate using an inline frame (IFrame), which is less secure. |
customScope
|
(Optional) Specifies a custom scope user-related value that you can use to query the IdP. For example, "openid, email, profile". |
prompt
|
(Optional) Specifies whether the user is prompted for re-authentication and consent. For example, "login, consent". |
clientAuthentication
|
(Optional) Token endpoint authentication method. Value can be "client_secret_basic" or "client_secret_post". Default value is "client_secret_basic". |
essentialAcrValues
|
(Optional) List of essential Authentication Context Reference Class values used for authentication. For example, "phr". |
voluntaryAcrValues
|
(Optional) List of voluntary Authentication Context Reference Class values used for authentication. |
emailMapping
|
(Optional) Claim for retrieving email from the OIDC token. Default value is "email". |
firstNameMapping
|
(Optional) Claim for retrieving first name from the OIDC token. Default value is "given_name". You can use this attribute to retrieve the user’s display name when useFullName attribute is set to "false". |
lastNameMapping
|
(Optional) Claim for retrieving last name from the OIDC token. Default value is "family_name". You can use this attribute to retrieve the user’s display name when useFullName attribute is set to "false". |
fullNameMapping
|
(Optional) Claim for retrieving name from the OIDC token. Default value is "name". You can use this attribute to retrieve the user’s display name when useFullName attribute is set to "true". |
useFullName
|
(Optional) Controls what is used as the display name. Value can be "true" or "false". Default value is "false", which uses first name (firstNameMapping attribute) and last name (lastNameMapping attribute) as the user display name. When set to "true", full name (fullNameMapping attribute) is used as the user display name. |
cURL Request Example
curl "https://us-west-2a.online.tableau.com/api/3.24/sites/9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d/site-oidc-configuration" -X PUT -H "X-Tableau-Auth:12ab34cd56ef78ab90cd12ef34ab56cd" -d @create-update-oidc-config.xml
Content of create-update-oidc-config.xml:
<tsRequest>
<siteOIDCConfiguration
idpConfigurationName="idpConfigurationName"
enabled="enabled"
clientId="clientId"
clientSecret="clientSecret"
authorizationEndpoint="authorizationEndpoint"
tokenEndpoint="tokenEndpoint"
userinfoEndpoint="userinfoEndpoint"
jwksUri="jwksUri"
idpConfigurationName="idpConfigurationName"
endSessionEndpoint="endSessionEndpoint"
allowEmbeddedAuthentication="allowEmbeddedAuthentication"
prompt="prompt"
customScope="customScope"
clientAuthentication="clientAuthentication"
essentialAcrValues="essentialAcrValues"
voluntaryAcrValues="voluntaryAcrValues"
emailMapping="emailMapping"
firstNameMapping="firstNameMapping"
lastNameMapping="lastNameMapping"
fullNameMapping="fullNameMapping"
useFullName="useFullName" />
</tsRequest>
Response Code
200
Response Body
<tsResponse>
<siteOIDCConfiguration
idpConfigurationName="Auth_External_OIDC"
enabled="true"
testLoginUrl="https://sso.online.tableau.com/public/testLogin?alias=080bca2d-578b-49cc-b40d-3781b36b30ee&authSetting=OIDC"
allowEmbeddedAuthentication="false"
clientId="0oa111usf1gpUkVUt0h1"
clientSecret="<omit>"
authorizationEndpoint="https://myidp.com/oauth2/v1/authorize"
tokenEndpoint="https://myidp.com/oauth2/v1/token"
userinfoEndpoint="https://myidp.com/oauth2/v1/userinfo"
jwksUri="https://myidp.com/oauth2/v1/keys"
endSessionEndpoint="https://myidp.com/oauth2/v1/logout"
customScope="openid, email, profile"
prompt="login,consent"
clientAuthentication="client_secret_basic"
essentialAcrValues="phr"
emailMapping="email"
firstNameMapping="given_name"
lastNameMapping="family_name"
fullNameMapping="name"
useFullName="false" />
</tsResponse>
{
"siteOIDCConfiguration": {
"idpConfigurationName":"Auth_External_OIDC",
"enabled":"true",
"testLoginUrl":"https://sso.online.tableau.com/public/testLogin?alias=080bca2d-578b-49cc-b40d-3781b36b30ee&authSetting=OIDC",
"allowEmbeddedAuthentication":"false",
"clientId":"0oa111usf1gpUkVUt0h1",
"clientSecret":"<omit>",
"authorizationEndpoint":"https://myidp.com/oauth2/v1/authorize",
"tokenEndpoint":"https://myidp.com/oauth2/v1/token",
"userinfoEndpoint":"https://myidp.com/oauth2/v1/userinfo",
"jwksUri":"https://myidp.com/oauth2/v1/keys",
"endSessionEndpoint":"https://myidp.com/oauth2/v1/logout",
"customScope":"openid, email, profile",
"prompt":"login,consent",
"clientAuthentication":"client_secret_basic",
"essentialAcrValues":"phr",
"emailMapping":"email",
"firstNameMapping":"given_name",
"lastNameMapping":"family_name",
"fullNameMapping":"name",
"useFullName":"false"
}
}
Notes:
-
The response hides the client secret and replaces it with
<omit>
. -
You can use the testloginURL attribute to validate the OIDC configuration. When you enter the URL in a browser, details about the configuration displays.
Errors
HTTP status | error Code |
Condition | Details |
---|---|---|---|
400 | 400000 | Bad Request | The content of the request body is missing or incomplete, or contains malformed XML. |
401 | 401002 | Unauthorized Access | The authentication token provided in the request header was invalid or has expired. |
For more information, see Handling Errors.
Get OpenID Connect Configuration
Get details about the Tableau Cloud site's OpenID Connect (OIDC) configuration.
Version: Available in API 3.22 (Tableau Cloud February 2024) and later. Not available for Tableau Server. Version Overview(Link opens in a new window)
License: No additional license required.
Permissions: Tableau Cloud site admins only.
JWT Access Scope: Not available. Access Scopes Overview: Cloud(Link opens in a new window)
URI
GET /api/api-version/sites/site-luid/site-oidc-configuration?idpConfigurationId=idp-configuration-id
Note: The resource, GET /api/api-version/sites/site-luid/site-oidc-configuration?idpConfigurationId=idpConfigurationId, was added in version 3.24. The original resource, PUT /api/api-version/sites/site-luid/site-oidc-configuration, continues to be a supported resource if your site is configured with only one OIDC authentication configuration.
If you don’t specify an idpConfigurationId
value starting in API 3.24, the initial OIDC configuration on the site is removed. If there is no initial OIDC configuration on the site, then no OIDC configuration is removed.
URI Parameter Values
api-version | The version of the API to use, such as 3.24 . For more information, see REST API and Resource Versions.
|
site-luid | The LUID for the site. |
idp-configuration-id | The ID of the configuration. To get the idpConfigurationId value, use the List Authentication Configurations method. |
Request Body
None
cURL Request Example
curl "https://us-west-2a.online.tableau.com/api/3.24/sites/9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d/site-oidc-configuration?idpConfigurationId=00000000-0000-0000-0000-0000000000" -X GET -H "X-Tableau-Auth:12ab34cd56ef78ab90cd12ef34ab56cd"
Response Code
200
Response Body
<tsResponse>
<siteOIDCConfiguration
enabled="true"
testLoginUrl="https://sso.online.tableau.com/public/testLogin?alias=080bca2d-578b-49cc-b40d-3781b36b30ee&authSetting=OIDC"
allowEmbeddedAuthentication="false"
clientId="0oa111usf1gpUkVUt0h1"
clientSecret="<omit>"
authorizationEndpoint="https://myidp.com/oauth2/v1/authorize"
tokenEndpoint="https://myidp.com/oauth2/v1/token"
userinfoEndpoint="https://myidp.com/oauth2/v1/userinfo"
jwksUri="https://myidp.com/oauth2/v1/keys"
idpConfigurationName="Initial OIDC"
endSessionEndpoint="https://myidp.com/oauth2/v1/logout"
customScope="openid, email, profile"
prompt="login,consent"
clientAuthentication="client_secret_basic"
essentialAcrValues="phr"
emailMapping="email"
firstNameMapping="given_name"
lastNameMapping="family_name"
fullNameMapping="name"
useFullName="false"
idpConfigurationId="00000000-0000-0000-0000-000000000000" />
</tsResponse>
{
"siteOIDCConfiguration": {
"enabled":"true",
"testLoginUrl":"https://sso.online.tableau.com/public/testLogin?alias=080bca2d-578b-49cc-b40d-3781b36b30ee&authSetting=OIDC",
"allowEmbeddedAuthentication":"false",
"clientId":"0oa111usf1gpUkVUt0h1",
"clientSecret":"<omit>",
"authorizationEndpoint":"https://myidp.com/oauth2/v1/authorize",
"tokenEndpoint":"https://myidp.com/oauth2/v1/token",
"userinfoEndpoint":"https://myidp.com/oauth2/v1/userinfo",
"jwksUri":"https://myidp.com/oauth2/v1/keys",
"idpConfigurationName":"Initial OIDC"
"endSessionEndpoint":"https://myidp.com/oauth2/v1/logout",
"customScope":"openid, email, profile",
"prompt":"login,consent",
"clientAuthentication":"client_secret_basic",
"essentialAcrValues":"phr",
"emailMapping":"email",
"firstNameMapping":"given_name",
"lastNameMapping":"family_name",
"fullNameMapping":"name",
"useFullName":"false",
"idpConfigurationId":"00000000-0000-0000-0000-000000000000"
}
}
Notes:
-
The response hides the client secret and replaces it with
<omit>
. -
You can use the
testloginURL
to validate the OIDC configuration. When you enter the URL in a browser, details about the configuration displays. -
You can use the
idpConfigurationId
to assign the authentication method to a user using the Add User to Site and Update User methods.
Errors
HTTP status | error Code |
Condition | Details |
---|---|---|---|
400 | 400000 | Bad Request | The content of the request body is missing or incomplete, or contains malformed XML. |
401 | 401002 | Unauthorized Access | The authentication token provided in the request header was invalid or has expired. |
For more information, see Handling Errors.
Remove OpenID Connect Configuration
Disable and clear the Tableau Cloud site's OpenID Connect (OIDC) configuration.
Important: Before removing the OIDC configuration, make sure that users who are set to authenticate with OIDC are set to use a different authentication type. Users who are not set with a different authentication type before removing the OIDC configuration will not be able to sign in to Tableau Cloud.
Version: Available in API 3.22 (Tableau Cloud February 2024) and later. Not available for Tableau Server. Version Overview(Link opens in a new window)
License: No additional license required.
Permissions: Tableau Cloud site admins only.
JWT Access Scope: Not available. Access Scopes Overview: Cloud(Link opens in a new window)
URI
PUT /api/api-version/sites/site-luid/disable-site-oidc-configuration?idpConfigurationId=idp-configuration-id
Note: The resource, PUT /api/api-version/sites/site-luid/disable-site-oidc-configuration?idpConfigurationId=idpConfigurationId, was added in version 3.24. The original resource, PUT /api/api-version/sites/site-luid/disable-site-oidc-configuration, continues to be a supported resource if your site is configured with only one OIDC authentication configuration.
If you don’t specify an idpConfigurationId
value starting in API 3.24, the initial (default) OIDC configuration on the site is removed. If there is no initial OIDC configuration on the site, then no OIDC configuration is removed.
URI Parameter Values
api-version | The version of the API to use, such as 3.24 . For more information, see REST API and Resource Versions.
|
site-luid | The LUID for the site. |
idp-configuration-id | The ID of the configuration. To get the idpConfigurationId value, use the List Authentication Configurations method. |
Request Body
None
cURL Request Example
curl "https://us-west-2a.online.tableau.com/api/3.24/sites/9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d/disable-site-oidc-configuration?idpConfigurationId=b2207590-024c-4a6e-ac4a-eca6eefabb2e" -X PUT -H "X-Tableau-Auth:12ab34cd56ef78ab90cd12ef34ab56cd"
Response Code
200
Response Body
None
Errors
HTTP status | error Code |
Condition | Details |
---|---|---|---|
400 | 400000 | Bad Request | The content of the request body is missing or incomplete, or contains malformed XML. |
401 | 401002 | Unauthorized Access | The authentication token provided in the request header was invalid or has expired. |
For more information, see Handling Errors.
Update OpenID Connect Configuration
Update the Tableau Cloud site's OpenID Connect (OIDC) configuration.
Version: Available in API 3.22 (Tableau Cloud February 2024) and later. Not available for Tableau Server.Version Overview(Link opens in a new window)
License: No additional license required.
Permissions: Tableau Cloud site admins only.
JWT Access Scope: Not available. Access Scopes Overview: Cloud(Link opens in a new window)
URI
PUT /api/api-version/sites/site-luid/site-oidc-configuration
URI Parameter Values
api-version | The version of the API to use, such as 3.24 . For more information, see REST API and Resource Versions.
|
site-luid | The LUID for the site. |
Request Body
<tsRequest>
<siteOIDCConfiguration
idpConfigurationId="idpConfigurationId"
enabled="enabled"
clientId="clientId"
clientSecret="clientSecret"
authorizationEndpoint="authorizationEndpoint"
tokenEndpoint="tokenEndpoint"
userinfoEndpoint="userinfoEndpoint"
jwksUri="jwksUri"
idpConfigurationName="idpConfigurationName"
endSessionEndpoint="endSessionEndpoint"
allowEmbeddedAuthentication="allowEmbeddedAuthentication"
prompt="prompt"
customScope="customScope"
clientAuthentication="clientAuthentication"
essentialAcrValues="essentialAcrValues"
voluntaryAcrValues="voluntaryAcrValues"
emailMapping="emailMapping"
firstNameMapping="firstNameMapping"
lastNameMapping="lastNameMapping"
fullNameMapping="fullNameMapping"
useFullName="useFullName" />
</tsRequest>
{
"siteOIDCConfiguration": {
"idpConfigurationId": "idpConfigurationId",
"enabled": "enabled",
"clientId": "clientId",
"clientSecret": "clientSecret",
"authorizationEndpoint": "authorizationEndpoint",
"tokenEndpoint": "tokenEndpoint",
"userinfoEndpoint": "userinfoEndpoint",
"jwksUri": "jwksUri",
"idpConfigurationName": "idPConfigurationName",
"endSessionEndpoint": "endSessionEndpoint",
"allowEmbeddedAuthentication": "allowEmbeddedAuthentication",
"prompt":"prompt",
"customScope":"customScope",
"clientAuthentication": "clientAuthentication",
"essentialAcrValues": "essentialAcrValues",
"voluntaryAcrValues": "voluntaryAcrValues",
"emailMapping": "emailMapping",
"firstNameMapping": "firstNameMapping",
"lastNameMapping": "lastNameMapping",
"fullNameMapping": "fullNameMapping",
"useFullName": "useFullName"
}
}
Request Attributes
Note: Because partial updates are not supported therefore, you must include all the needed attributes in your request to ensure the configuration update is completed successfully.
idpConfigurationId
|
(Required)
Starting in API 3.24, multiple authentication configurations can be created and enabled at the same time. Include the idpConfigurationId to identify which configuration to update. If no IdPConfigurationId is specified, the initial (default) OIDC configuration is updated if it exists. To get the idpConfigurationId value, use the List Authentication Configurations method. For more information, see Authentication(Link opens in a new window) in the Tableau Cloud Help. |
enabled
|
(Required) Controls whether the configuration is enabled or not. Value can be "true" or "false". For example "true". |
clientId
|
(Required) The client ID from your IdP. For example, "0oa111usf1gpUkVUt0h1". |
clientSecret
|
(Required) The client secret from your IdP. |
authorizationEndpoint
|
(Required) Use the authorization endpoint from your IdP. To find the value, enter the configuration URL in a browser and obtain the user information endpoint (authorization_endpoint ) from the details that are returned. For example, "https://myidp.com/oauth2/v1/authorize". |
tokenEndpoint
|
(Required) Use the token endpoint from your IdP. To find the value, enter the configuration URL in a browser and obtain the token endpoint (token_endpoint ) from the details that are returned. For example, "https://myidp.com/oauth2/v1/token". |
userinfoEndpoint
|
(Required) Use the user information endpoint from your IdP. To find the value, enter the configuration URL in a browser and obtain the user information endpoint (userinfo_endpoint ) from the details that are returned. For example, "https://myidp.com/oauth2/v1/userinfo". |
jwksUri
|
(Required) Use the JWK set URI from your IdP. To find the value, enter the configuration URL in a browser and obtain the JWK set URI endpoint (jwks_uri ) from the details that are returned. For example, "https://myidp.com/oauth2/v1/keys". |
idpConfigurationName
|
(Optional) The name of the configuration. Starting in API 3.24, you can create and enable multiple authentication configurations. Authentication configurations that were enabled before API 3.24 are given a name and its name can't be updated. For example, "Initial OIDC". If this configuration was created after API 3.23 and no name is provided for the update, the name will stay the same. For more information, see Authentication(Link opens in a new window) in the Tableau Cloud Help. |
endSessionEndpoint
|
(Optional) If single logout (SLO) is enabled for the site, which is done through Tableau Cloud site UI, you can specify the configuration URL or the end session endpoint from your IdP. For example, "https://myidp.com/oauth2/v1/logout". |
allowEmbeddedAuthentication
|
(Optional) Controls how users authenticate when accessing embedded views. Value can be "true" or "false". Default value is "false", which authenticates users in a separate pop-up window. When set to "true", users authenticate using an inline frame (IFrame), which is less secure. |
customScope
|
(Optional) Specifies a custom scope user-related value that you can use to query the IdP. For example, "openid, email, profile". |
prompt
|
(Optional) Specifies whether the user is prompted for re-authentication and consent. For example, "login, consent". |
clientAuthentication
|
(Optional) Token endpoint authentication method. Value can be "client_secret_basic" or "client_secret_post". Default value is "client_secret_basic". |
essentialAcrValues
|
(Optional) List of essential Authentication Context Reference Class values used for authentication. For example, "phr". |
voluntaryAcrValues
|
(Optional) List of voluntary Authentication Context Reference Class values used for authentication. |
emailMapping
|
(Optional) Claim for retrieving email from the OIDC token. Default value is "email". |
firstNameMapping
|
(Optional) Claim for retrieving first name from the OIDC token. Default value is "given_name". You can use this attribute to retrieve the user’s display name when useFullName attribute is set to "false". |
lastNameMapping
|
(Optional) Claim for retrieving last name from the OIDC token. Default value is "family_name". You can use this attribute to retrieve the user’s display name when useFullName attribute is set to "false". |
fullNameMapping
|
(Optional) Claim for retrieving name from the OIDC token. Default value is "name". You can use this attribute to retrieve the user’s display name when useFullName attribute is set to "true". |
useFullName
|
(Optional) Controls what is used as the display name. Value can be "true" or "false". Default value is "false", which uses first name (firstNameMapping attribute) and last name (lastNameMapping attribute) as the user display name. When set to "true", full name (fullNameMapping attribute) is used as the user display name. |
cURL Request Example
curl "https://us-west-2a.online.tableau.com/api/3.24/sites/9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d/site-oidc-configuratioin" -X PUT -H "X-Tableau-Auth:12ab34cd56ef78ab90cd12ef34ab56cd" -d @create-update-oidc-config.xml
Content of create-update-oidc-config.xml:
<tsRequest>
<siteOIDCConfiguration
idpConfigurationId="idpConfigurationId"
enabled="enabled"
clientId="clientId"
clientSecret="clientSecret"
authorizationEndpoint="authorizationEndpoint"
tokenEndpoint="tokenEndpoint"
userinfoEndpoint="userinfoEndpoint"
jwksUri="jwksUri"
idPConfigurationName="idPConfigurationName"
endSessionEndpoint="endSessionEndpoint"
allowEmbeddedAuthentication="allowEmbeddedAuthentication"
prompt="prompt"
customScope="customScope"
clientAuthentication="clientAuthentication"
essentialAcrValues="essentialAcrValues"
voluntaryAcrValues="voluntaryAcrValues"
emailMapping="emailMapping"
firstNameMapping="firstNameMapping"
lastNameMapping="lastNameMapping"
fullNameMapping="fullNameMapping"
useFullName="useFullName" />
</tsRequest
Response Code
200
Response Body
<tsResponse>
<siteOIDCConfiguration
idpConfigurationId="00000000-0000-0000-0000-000000000000"
enabled="true"
testLoginUrl="https://sso.online.tableau.com/public/testLogin?alias=080bca2d-578b-49cc-b40d-3781b36b30ee&authSetting=OIDC"
allowEmbeddedAuthentication="false"
clientId="0oa111usf1gpUkVUt0h1"
clientSecret="<omit>"
authorizationEndpoint="https://myidp.com/oauth2/v1/authorize"
tokenEndpoint="https://myidp.com/oauth2/v1/token"
userinfoEndpoint="https://myidp.com/oauth2/v1/userinfo"
jwksUri="https://myidp.com/oauth2/v1/keys"
idPConfigurationName="Initial OIDC"
endSessionEndpoint="https://myidp.com/oauth2/v1/logout"
customScope="openid, email, profile"
prompt="login,consent"
clientAuthentication="client_secret_basic"
essentialAcrValues="phr"
emailMapping="email"
firstNameMapping="given_name"
lastNameMapping="family_name"
fullNameMapping="name"
useFullName="false" />
</tsResponse>
{
"siteOIDCConfiguration": {
"idpConfigurationId":"00000000-0000-0000-0000-000000000000",
"enabled":"true",
"testLoginUrl="https://sso.online.tableau.com/public/testLogin?alias=080bca2d-578b-49cc-b40d-3781b36b30ee&authSetting=OIDC",
"allowEmbeddedAuthentication":"false",
"clientId":"0oa111usf1gpUkVUt0h1",
"clientSecret":"<omit>",
"authorizationEndpoint":"https://myidp.com/oauth2/v1/authorize",
"tokenEndpoint":"https://myidp.com/oauth2/v1/token",
"userinfoEndpoint":"https://myidp.com/oauth2/v1/userinfo",
"jwksUri":"https://myidp.com/oauth2/v1/keys",
"idPConfigurationName":"Initial OIDC",
"endSessionEndpoint":"https://myidp.com/oauth2/v1/logout",
"customScope":"openid, email, profile",
"prompt":"login,consent",
"clientAuthentication":"client_secret_basic",
"essentialAcrValues":"phr",
"emailMapping":"email",
"firstNameMapping":"given_name",
"lastNameMapping":"family_name",
"fullNameMapping":"name",
"useFullName":"false"
}
}
Notes:
-
The response hides the client secret and replaces it with
<omit>
. -
You can use the testloginURL to validate the OIDC configuration. When you enter the URL in a browser, details about the configuration displays.
-
You can use the idpConfigurationId to assign authentication to a user using the Add User to Site and Update User methods.
Errors
HTTP status | error Code |
Condition | Details |
---|---|---|---|
400 | 400000 | Bad Request | The content of the request body is missing or incomplete, or contains malformed XML. |
401 | 401002 | Unauthorized Access | The authentication token provided in the request header was invalid or has expired. |
For more information, see Handling Errors.