OpenID Connect

You can configure Tableau Cloud to support OpenID Connect (OIDC) for single sign-in (SSO). OIDC is a standard authentication protocol that lets users sign in to an identity provider (IdP) such as Google or Salesforce. After they've successfully signed in to their IdP, they are automatically signed in to Tableau Cloud.

Configuring OIDC involves several steps. The topics in this section provide general information about using Tableau Cloud with OIDC, and provide a sequence for configuring the IdP and Tableau Cloud.

To configure OIDC using the Tableau REST API, see OpenID Connect Authentication Methods(Link opens in a new window) in the Tableau REST API Help.

Authentication overview

This section describes the OpenID Connect (OIDC) authentication process with Tableau Cloud.

1. A user attempts to log in to Tableau Cloud from a client computer.

2. Tableau Cloud redirects the request for authentication to the IdP gateway.

3. The user is prompted for credentials and successfully authenticates to the IdP. The IdP responds with a redirect URL back to Tableau Cloud. The redirect URL includes an authorisation code for the user.

4. The client is redirected to Tableau Cloud and presents the authorisation code.

5. Tableau Cloud presents the client's authorisation code to the IdP along with its own client credentials. Tableau Cloud is also a client of the IdP. This step is intended to prevent spoofing or man-in-the-middle attacks.

6. The IdP returns an access token and an ID token to Tableau Cloud.

  • JSON Web Token (JWT) validation: By default, Tableau Cloud performs a validation of the IdP JWT. During discovery, Tableau Cloud retrieves the public keys specified by the jwks_uri in the IdP configuration discovery document. Tableau Cloud validates the ID token for expiry and then verifies the JSON web signature (JWS), the issuer (IdP) and the client ID. You can learn more about the JWT process in the OIDC documentation, 10. Signatures and Encryption(Link opens in a new window), and the IETF proposed standard, JSON Web Token(Link opens in a new window). We recommend leaving JWT validation enabled, unless your Idp does not support it.

  • The ID token is a set of attribute key-pairs for the user. The key-pairs are called claims. Here is an example IdP claim for a user:

    "sub"                     : "7gYhRR3HiRRCaRcgvY50ubrtjGQBMJW4rXbpPFpg2cptHP62m2sqowM7G1LwjN5"
    "email"                   : "alice@example.com",
    "email_verified"          : true,
    "name"                    : "Alice Adams",
    "given_name"              : "Alice",
    "family_name"             : "Adams",		

7. Tableau Cloud identifies the user from the IdP claims and completes the authentication request from step 1.Tableau Cloud can be configured to use different claims for this process. See Requirements.

8. Tableau Cloud authorises the user.

How Tableau Cloud works with OpenID Connect

OpenID Connect (OIDC) is a flexible protocol that supports many options for the information that's exchanged between a service provider (here, Tableau Cloud) and an IdP. The following list provides details about the Tableau Cloud implementation of OIDC. These details can help you understand what types of information Tableau Cloud sends and expects, and how to configure an IdP.

  • Tableau Cloud supports only the OpenID Authorisation Code Flow as described in the OpenID Connect final specification(Link opens in a new window) in the OpenID Connect documentation.

  • Tableau Cloud relies on using discovery or a provider URL to retrieve the IdP metadata.

  • Tableau Cloud supports the client_secret_basic (default) and client_secret_post client authentication, and other parameters specified in the OpenID Connect specification. These can only be configured using the Tableau REST API.

Dynamic group membership using OIDC assertions

Beginning in June 2024, if OIDC authentication is configured and the capability’s setting enabled, you can dynamically control group membership through custom claims included in the JSON Web Token (JWT) sent by the identity provider (IdP).

When configured, during user authentication, the IdP sends the OIDC assertion that contains two custom group membership claims: group (https://tableau.com/groups) and group names (for example, "Group1" and "Group2") to assert the user into. Tableau validates the assertion and then enables access to the groups and the content whose permissions are dependent on those groups.

For more information, see Dynamic group membership using assertions.

Example JWK

"sub"                     : "7gYhRR3HiRRCaRcgvY50ubrtjGQBMJW4rXbpPFpg2cptHP62m2sqowM7G1LwjN5"
"email"                   : "alice@example.com",
"email_verified"          : true,
"name"                    : "Alice Adams",
"given_name"              : "Alice",
"family_name"             : "Adams",
"https://tableau.com/groups": ["Group1", "Group2"]
Thanks for your feedback!Your feedback has been successfully submitted. Thank you!