Configure Tableau Cloud or TCM for OpenID Connect

This topic describes how to configure Tableau Cloud or Tableau Cloud Manager (TCM) to use OpenID Connect (OIDC) for single-sign on (SSO). This is one step in a multi-step process. The following topics provide information about configuring and using OIDC with Tableau Cloud or TCM.

OpenID Connect Overview
Configure the Identity Provider for OpenID Connect
Configure Tableau Cloud or TCM for OpenID Connect (you are here)

Notes:

Before you perform the steps described here, you must configure the OpenID provider as described in Configure the Identity Provider for OpenID Connect. Separate setup and app integration is required to enable OIDC authentication for Tableau Cloud and TCM.
Alternatively, you can configure OIDC authentication for Tableau Cloud using the Tableau REST API using the OpenID Connect methods(Link opens in a new window). Note: Applies to Tableau Cloud only.
For Tableau Cloud, the Tableau REST API and tabcmd do not support OIDC single-sign (SSO). To use tabcmd or the Tableau REST API(Link opens in a new window), users must sign in to Tableau Cloud using a personal access token (PAT).
For TCM, the Tableau Cloud Manager REST API does not support OIDC SSO. To use the TCM REST API(Link opens in a new window), users must sign in to TCM using a PAT.

Requirements

Parameters

Client ID: This value is issued by the IdP and specifies an identifier for the registered Tableau Cloud or TCM. This enables the IdP to know where the authentication request is coming from.
Client secret: This is a token that is used by Tableau Cloud or TCM to verify the authenticity of the response from the IdP. This value should be kept securely.
Configuration URL: This value specifies the URL that the IdP redirects to after the user has authenticated. The URL must include the host and protocol (for example, https://admin.okta.com/oauth2/default/.well-known/openid-configuration), but Tableau provides the URL endpoint. This URL specifies the location of the provider configuration discovery document that contains the OpenID provider metadata.

Note: If your IdP does not provide a configuration URL, use a URL that ends with .well-known/openid-configuration. For Tableau Cloud, consider using the OpenID Connect Authentication Methods(Link opens in a new window) in the Tableau REST API to configure OIDC.

Optional parameters

Note: Applies to Tableau Cloud only.

The following optional parameters can be configured using the OpenID Connect Authentication Methods(Link opens in a new window) in the Tableau REST API.

Prompt: Prompts the user for re-authentication and consent. By default, user consent is turned on.
Custom scope: Custom scope user-related value to query the IdP.
Client authentication: Token endpoint authentication method. Default value is 'client_secret_basic'. The value 'client_secret_post' is supported.
Essential ACR values: List of essential Authentication Context Reference Class values used for authentication.
Voluntary ACR values: List of voluntary Authentication Context Reference Class values used for authentication.

Claims

To sign in successfully to Tableau Cloud or TCM, a given user must be provisioned in OpenID Connect (OIDC) IdP and then mapped to a user account on Tableau Cloud or TCM. OIDC uses a method that relies on claims to share user account attributes with other applications. Tableau Cloud or TCM relies on the IdP claim to map user accounts from the IdP to those hosted on Tableau Cloud or TCM. Claims include user account attributes such as email, given name, etc. To understand how Tableau Cloud or TCM maps IdP claims to user accounts, see Authentication overview.

Note: Claims are case sensitive.

Username: By default, Tableau expects the IdP to pass the username claim. Depending on your IdP, you may need to configure Tableau Cloud to use a different IdP claim. Note: The username in Tableau is immutable and cannot be updated at any time.
Name claim: You can specify name or given and family name to retrieve DisplayName for the user.
Email claim: Optionally, beginning in July 2025, you can specify an email address that is different from the username. The email address claim is used for notifications purposes only and not used for sign-in.

Enable OIDC single sign-on

Step 1: Configure OpenID Connect

For Tableau Cloud

Sign in to Tableau Cloud as a site admin and select Settings > Authentication.
On the Authentication tab, click the New Configuration button, select OpenID Connect (OIDC), and enter a name for the configuration.
Follow the steps to configure Tableau Cloud for OIDC authentication by doing the following:
1. In step 1, enter the required information from your IdP, including client ID, client secret, and configuration URL.
2. In step 2, copy the Tableau Cloud redirect URL that you will paste into your IdP's portal to redirect users after they authenticate.
3. In step 3, enter the claims to ensure the correct mapping of users' username and display name.
4. In step 4, optionally enable single logout (SLO) if your IdP supports it.
5. In step 5, optionally choose how users authenticate when accessing embedded view: in a separate pop-up window or using an inline iFrame.
  
  Note: You can select the authentication type for embedded views under the Default Authentication Type for Embedded Views section on the Authentication page (below the OIDC configuration steps).
When finished, click the Save Changes button.

Note: When editing the OIDC configuration, the client secret is hidden and needs to be reentered before any changes can be saved.

For TCM

Sign in to TCM as a cloud admin and select Settings > Authentication.
On the Authentication tab, select the Enable an additional authentication method check box.
Select OpenID Connect (OIDC) from the drop-down menu and click the Configuration (required) drop-down arrow.
Follow the steps to configure TCM for OIDC authentication by doing the following:
1. In step 1, enter the required information from your IdP, including client ID, client secret, and configuration URL.
2. In step 2, copy the TCM redirect URL that you will paste into your IdP's portal to redirect users after they authenticate.
3. In step 3, enter the claims to ensure the correct mapping of users' username and display name.
4. In step 4, optionally enable single logout (SLO) if your IdP supports it.
When finished, click the Save Changes button.

Note: When editing the OIDC configuration, the client secret is hidden and needs to be reentered before any changes can be saved.

Step 2: Test the configuration

We highly recommend you test the configuration to avoid any locked out scenarios. Testing the configuration helps ensure that you have configured OIDC correctly before changing the authentication type of your users to OIDC. To test the configuration successfully, make sure that there is at least one user who you can sign in as who is already provisioned in the IdP and added to Tableau Cloud or TCM with OIDC authentication type configured.

Note: If you’re not sure what the claims are, complete the configuration and test the configuration. Testing the configuration will produce a new window with the claim mappings details, including the username and display name claims. Some IdPs may map email address to the Tableau username.

For Tableau Cloud

On the Authentication tab while OpenID Connect (OIDC) is selected, under step 6, click the Test Configuration button. A new window displays with details about the configuration.
When finished, complete the OIDC setup by adding users to your site by following the step below.

For TCM

On the Authentication tab while OpenID Connect (OIDC) is selected, under step 5, click the Test Configuration button. A new window displays with details about the configuration.
When finished, complete the OIDC setup by adding users to your tenant by following the step below.

Step 3: Add users to the OpenID Connect-enabled Tableau site or TCM

The steps described in this section are performed on the Tableau Cloud’s or TCM's Users page.

After you complete the steps above, return to your Tableau Cloud site or TCM.
From the left pane, select the Users page.
Follow the procedure described in one of the following topics:
- For Tableau Cloud, see Add Users to a Site
- For TCM, see Manage Users With Tableau Cloud Manager

Troubleshoot

Use the following sections to troubleshoot OpenID Connect (OIDC) issues in Tableau Cloud or TCM.

OIDC protocol is supported by many identity providers. The OIDC protocol is an open and flexible standard, and as such, not all implementations of the standard are identical. Most issues that administrators encounter when configuring Tableau Cloud or TCM for OIDC are the result of how different identity providers implement OIDC. If you encounter errors as you set up OIDC with Tableau, we recommend that you work with your IdP to resolve them.

Signing in from the command line

For Tableau Cloud

Even if Tableau Cloud is configured to use OIDC, OIDC authentication isn’t used when you sign in to Tableau Cloud using tabcmd, the Tableau REST API(Link opens in a new window), or the Tableau Data Extract command line utility(Link opens in a new window) (provided with Tableau Desktop).

For TCM

Similarly, even if TCM is configured to use OIDC, OIDC authentication isn’t used when you sign in to Tableau Cloud Manager REST API(Link opens in a new window).

Sign-in failed

In some cases, sign-in to Tableau Cloud or TCM can fail with the following message:

Login failure: Identity Provider authentication unsuccessful for user <username_from_IdP>. Failed to find the user in Tableau Cloud.

This error typically means that there’s a mismatch between a username stored in Tableau and the username provided by the IdP. To resolve this, make sure the username values match. For example, if Jane Smith's username is stored in the IdP as "jsmith@example.com" it must be stored in Tableau Cloud or TCM as "jsmith@example.com" as well.

Customize and control data access using user attributes

User attributes are user metadata defined by your organization. User attributes can be used to determine access in a typical attribute-based access control (ABAC) authorization model. User attributes can be any aspect of the user profile, including job roles, departmental membership, management level, etc. They might also be associated with run-time user contexts like where the user is signed in or their language preference.

By including user attributes in your workflow, you can control and customize the user experience through data access and personalization.

Data access: User attributes can be used to enforce data security policies. This ensures that users only see the information they are authorized to see.
Personalization: By passing user attributes like location and role, your content can be customized to display only the information relevant to the user accessing it, making it easier for them to find the information they need.

Summary of steps to pass user attributes

The process of enabling user attributes in a workflow is summarized in the following steps:

Enable the user attributes setting
Include user attributes in the JWT
Ensure the content author includes user attribute functions and relevant filters
Review the content

Step 1: Enable the user attributes setting

For security purposes, user attributes are only validated in an authentication workflow when the user attribute setting is enabled by a site admin.

Sign in to Tableau Cloud and click Settings > Authentication.
Under Control User Access in Authentication Workflows heading, select the Enable capture of user attributes in authentication workflows checkbox.

For more information about site settings, see Control User Access in Authentication Workflows.

Step 2: Include user attribute claims in the JWT

Make sure the JSON Web Token (JWT) contains the user attributes.

Note: Attributes in the JWT are subject to 4096 character limit, with the exception of scope or scp attributes. If the attributes in the JWT, including user attributes, exceed this limit, Tableau will remove the attributes and pass the ExtraAttributesRemoved attribute instead. The content author can then create a calculation with the ExtraAttributesRemoved attribute to determine how to display the content to users when the attribute has been detected.

Example

Suppose you have an employee, Fred Suzuki, who is a manager located in the South region. You want to ensure that, when Fred reviews reports, he is only able to see data for the South region. In a scenario like this, you might include the Region user attribute in the JWT like in the example below.

{
"iss":"https://myidp.okta.com/oauth2/default,
"sub": user,
"aud": "Tableau",
"email": "fsuzuki@example.com",
"email_verified": true,
"name": "Fred Suzuki",
"region": "South"
}

Step 3: Ensure the content author includes attribute functions

Ensure the content author includes the user attribute functions and related filters to control what data can display in their content. To ensure the user attributes claims are passed to Tableau, the content must contain one of the following user attribute functions:

USERATTRIBUTE('attribute_name')
USERATTRIBUTEINCLUDES('attribute_name', 'expected_value')

The function that the content author uses depends on whether the user attributes are expected to return a single value or multiple values. For more information about these functions and examples of each, see User Functions(Link opens in a new window) in the Tableau Help.

Notes:

Preview of the content with these functions are not available when authoring in Tableau Desktop or in Tableau Cloud. The function will return NULL or FALSE. To ensure the user functions work as expected, we recommend the author review the functions after making the content available.
To ensure content renders as expected, the content author might consider including a calculation that uses the ExtraAttributesRemoved that 1) checks for this attribute and 2) determines what to do with the content if it does, such as show a message. Tableau will only add the ExtraAttributesRemoved attribute and removes all other attributes (except scp or scope) when the attributes in the JWT exceed 4096 characters. This is to ensure optimal performance and to respect storage limitations.

Example

Continuing the example introduced in Step 2: Include user attribute claims in the JWT above, to pass the “Region” user attribute claim to a workbook, the author can include USERATTRIBUTEINCLUDES. For example, USERATTRIBUTEINCLUDES('Region', [Region]), where ‘Region’ is the user attribute and [Region] is a column in the data. Using the new calculation, the author can create a table with Manager and Sales data. When the calculation is added, the workbook returns “False” values as expected.

To show only the data associated with the South region in the embedded workbook, the author can create a filter and customize it to show values when the South region is “True.” When the filter is applied, the workbook becomes blank as expected because the function is returning “False” values and the filter is customized to show “True” values only.

Step 4: Review the content

Review and validate the content.

Example

To conclude the example from Step 3: Ensure the content author includes attribute functions above, you can see the Sales data in the view is customized to Fred Suzuki because his user context is the South region.

Managers from the regions represented in the workbook should see the value associated with their region. For example, Sawdie Pawthorne from the West region sees data specific to her region.

Managers whose regions are not represented in the workbook see a blank workbook.

Known issues and limitations

There a few known issues and limitations you should consider when working with user attribute functions.

Blank images using the Tableau REST API

Tableau REST API requests Query Preview Image(Link opens in a new window), Query Workbook Image(Link opens in a new window), and Get Custom View Image(Link opens in a new window) produce blank images.

Limitations

User attribute functions in published data sources (.pds) are not supported.
User attribute functions in Tableau Bridge workflows are not supported.

Thanks for your feedback!

Your feedback has been successfully submitted. Thank you!

Tableau Cloud Help