Configure Tableau Cloud for OpenID Connect
This topic describes how to configure Tableau Cloud to use OpenID Connect (OIDC) for single-sign on (SSO). This is one step in a multi-step process. The following topics provide information about configuring and using OIDC with Tableau Cloud.
-
OpenID Connect Overview
-
Configure Tableau Cloud for OpenID Connect (you are here)
Notes:
- Before you perform the steps described here, you must configure the OpenID identity provider (IdP) as described in Configure the Identity Provider for OpenID Connect.
- Alternatively, you can configure OIDC authentication for Tableau Cloud using the Tableau REST API using the OpenID Connect methods(Link opens in a new window).
- The Tableau REST API and tabcmd do not support OIDC single-sign (SSO). To use tabcmd or the REST API(Link opens in a new window), users must sign in to Tableau Cloud using a TableauID account.
Requirements
Parameters
-
Client ID: This value is issued by the IdP and specifies an identifier for the registered Tableau Cloud. this enables the IdP to know where the authentication request is coming from.
-
Client secret: This is a token that is used by Tableau Cloud to verify the authenticity of the response from the IdP. This value should be kept securely.
-
Configuration URL: This value specifies the URL that the IdP redirects to after the user has authenticated. The URL must include the host and protocol (for example,
https://admin.okta.com/oauth2/default/.well-known/openid-configuration
), but Tableau provides the URL endpoint. Specifies the location of the provider configuration discovery document that contains the OpenID provider metadata.Note: If your IdP does not provide a configuration URL, a URL that ends with
.well-known/openid-configuration
, consider using the OpenID Connect Authentication Methods(Link opens in a new window) in the Tableau REST API to configure OIDC.
Optional parameters
The following optional parameters can be configured using the OpenID Connect Authentication Methods(Link opens in a new window) in the Tableau REST API.
-
Prompt: Prompts the user for re-authentication and consent. By default, user consent is turned on.
-
Custom scope: Custom scope user-related value to query the IdP.
-
Client authentication: Token endpoint authentication method. Default value is
'client_secret_basic'
. The value'client_secret_post'
is supported. -
Essential ACR values: List of essential Authentication Context Reference Class values used for authentication.
-
Voluntary ACR values: List of voluntary Authentication Context Reference Class values used for authentication.
Claims
To sign in successfully to Tableau Cloud, a given user must be provisioned in OpenID Connect (OIDC) IdP and then mapped to a user account on Tableau Cloud. OIDC uses a method that relies on claims to share user account attributes with other applications. Tableau Cloud relies on the IdP claim to map user accounts from the IdP to those hosted on Tableau Cloud. Claims include user account attributes such as email, given name, etc. To understand how Tableau Cloud maps IdP claims to user accounts, see Authentication overview.
Note: Claims are case sensitive.
-
Username: By default, Tableau Cloud expects the IdP to pass the username claim. Depending on your IdP, you may need to configure Tableau Cloud to use a different IdP claim.
Note: The username in Tableau Cloud is immutable and cannot be updated at any time.
-
Name claim: You can specify name or given and family name to retrieve DisplayName for the user.
Step 1: Configure OpenID Connect
-
Sign in to Tableau Cloud as a site admin and select Settings > Authentication.
-
On the Authentication tab, select OpenID Connect (OIDC).
-
Follow the steps to configure Tableau Cloud for OIDC authentication by doing the following:
-
In step 1, enter the required information from your IdP, including client ID, client secret, and configuration URL.
-
In step 2, copy the Tableau Cloud redirect URL that you will paste into your IdP's portal to redirect users after they authenticate.
-
In step 3, enter the claims to ensure the correct mapping of users' username and display name.
-
In step 4, optionally enable single logout (SLO) if your IdP supports it.
-
In step 5, optionally choose how users authenticate when accessing embedded view: in a separate pop-up window or using an inline iFrame.
Note: You can select the authentication type for embedded views under the Default Authentication Type for Embedded Views section on the Authentication page (below the OIDC configuration steps).
-
-
When finished, click the Save Changes button.
Note: When editing OIDC configuration, the client secret is hidden and needs to be reentered before any changes can be saved.
Step 2: Test the configuration
We highly recommend you test the configuration to avoid any locked out scenarios. Testing the configuration helps ensure that you have configured OIDC correctly before changing the authentication type of your users to OIDC. To test the configuration successfully, make sure that there is at least one user who you can sign in as who is already provisioned in the IdP and added to your Tableau Cloud with OIDC authentication type configured.
Note: If you’re not sure what the claims are, complete the configuration and test the configuration. Testing the configuration will produce a new window with the claim mappings details, including the username and display name claims. Some IdPs may map email address to the Tableau username.
-
On the Authentication tab while OpenID Connect (OIDC) is selected, under step 6, click the Test Configuration button. A new window displays with details about the configuration.
-
When finished, complete the OIDC setup by adding users to your site by following the step below.
Step 3: Add users to the OpenID Connect-enabled Tableau site
The steps described in this section are performed on the Tableau Cloud’s Users page.
-
After you complete the steps above, return to your Tableau Cloud site.
-
From the left pane, select the Users page.
-
Follow the procedure described in Add Users to a Site topic.
Troubleshoot
Use the following topics to troubleshoot OpenID Connect (OIDC) issues in Tableau Cloud.
OIDC protocol is supported by many identity providers. The OIDC protocol is an open and flexible standard, and as such, not all implementations of the standard are identical. Most issues that administrators encounter when configuring Tableau Cloud for OIDC are the result of how different identity providers implement OIDC. If you encounter errors as you set up OIDC with Tableau Cloud, we recommend that you work with your IdP to resolve them.
Signing in from the command line
Even if Tableau Cloud is configured to use OIDC, OIDC authentication isn’t used when you sign in to Tableau Cloud using tabcmd, the Tableau REST API(Link opens in a new window), or the Tableau Data Extract command line utility(Link opens in a new window) (provided with Tableau Desktop).
Sign-in failed
In some cases, sign-in to Tableau Cloud can fail with the following message:
Login failure: Identity Provider authentication unsuccessful for user <username_from_IdP>. Failed to find the user in Tableau Cloud.
This error typically means that there’s a mismatch between a username stored in Tableau Cloud and the username provided by the IdP. To resolve this, make sure the username values match. For example, if Jane Smith's username is stored in the IdP as "jsmith@example.com" it must be stored in Tableau Cloud as "jsmith@example.com" as well.