openIDSettings Entity

Before you configure OpenID authentication, review Requirements for Using OpenID Connect.

Use the configuration file template below to create a json file. After you have filled in the options with the appropriate values, pass the json file and apply settings with the following commands:

tsm settings import -f path-to-file.json

tsm pending-changes apply

If the pending changes require a server restart, the pending-changes apply command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case, there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behaviour. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.

Configuration template

Use this template to configure OpenID settings.

Important: All entity options are case sensitive.

For more explanation about configuration files, entities and keys see Configuration File Example.

After you have finished with the initial configuration of OIDC, use the tsm authentication openid <commands> sub-category to set additional values.

{
	"configEntities": {
	    "openIDSettings": {
		"_type": "openIDSettingsType",
		"enabled": true,
		"clientId": "required",
		"clientSecret": "required",
		"configURL": "required if staticFile value is not set",
		"staticFile": "required if configURL value is not set",
		"externalURL": "required"
		}
	  }
}

Configuration file reference

The following list includes all of the options that can be included with the "openIDSettings" entity set.

_type

Required.

Do not change.

enabled

Required.

Set to true.

clientId

Required.

Specifies the provider client ID that your IdP has assigned to your application. For example, “laakjwdlnaoiloadjkwha".

clientSecret

Required.

Specifies the provider client secret. This is a token that is used by Tableau to verify the authenticity of the response from the IdP. This value is a secret and should be kept securely.

For example, “fwahfkjaw72123=".

configURL

Required.

Specifies provider configuration URL. If you do not specify a configuration URL, then delete this option and specify a path and file name for staticFile instead.

staticFile

Required.

Specifies the local path to the static OIDC discovery JSON document. If you do not specify a static file, then delete this option and specify a url for configURL instead.

externalURL

Required.

The URL of your server. This is typically is the public name of your server, such as http://example.tableau.com.

connectionTimeout

Optional.

Specifies connection timeout span in seconds. Default is 10.

readTimeout

Optional.

Specifies read timeout span in seconds. Default is 30.

ignoreDomain

Set this to true if the following are true:

You are using email addresses as usernames in Tableau Server
You have provisioned users in the IdP with multiple domain names
You want to ignore the domain name portion of the email claim from the IdP

Before you proceed, review the user names that will be used as a result of setting this option to true. User name conflicts may occur. In the case of a user name conflict, the risk of information disclosure is high. See Requirements for Using OpenID Connect.

ignoreJWK: Set this to true if your IdP does not support JWK validation. In this case, we recommend authenticating communication with your IdP using mutual TLS or another network layer security protocol. Default is false.

customScope: Specifies a custom scope user-related value that you can use to query the IdP. See Requirements for Using OpenID Connect.

idClaim: Change this value if your IdP does not use the subclaim to uniquely identify users in the ID token. The IdP claim that you specify should contain a single, unique string.

usernameClaim: Change this value to the IdP claim that your organisation will use to match user names as stored in Tableau Server.

clientAuthentication

Specifies custom client authentication method for OpenID Connect.

To configure Tableau Server to use the Salesforce IdP, set this value to client_secret_post.

iFramedIDPEnabled: Set to true to allow IdP displayed in an iFrame. The IdP must disable clickjack protection to allow iFrame presentation.

Thanks for your feedback!

Your feedback has been successfully submitted. Thank you!

Tableau Server on Linux Help