openIDSettings Entity
Before you configure OpenID authentication, review Requirements for Using OpenID Connect.
Use the configuration file template below to create a json file. After you have filled in the options with the appropriate values, pass the json file and apply settings with the following commands:
tsm settings import -f path-to-file.json
tsm pending-changes apply
If the pending changes require a server restart, the pending-changes apply
command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case, there is no restart. You can suppress the prompt using the --ignore-prompt
option, but this does not change the restart behaviour. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.
Configuration template
Use this template to configure OpenID settings.
Important: All entity options are case sensitive.
For more explanation about configuration files, entities and keys see Configuration File Example.
After you have finished with the initial configuration of OIDC, use the tsm authentication openid <commands> sub-category to set additional values.
{ "configEntities": { "openIDSettings": { "_type": "openIDSettingsType", "enabled": true, "clientId": "required", "clientSecret": "required", "configURL": "required if staticFile value is not set", "staticFile": "required if configURL value is not set", "externalURL": "required" } } }
Configuration file reference
The following list includes all of the options that can be included with the "openIDSettings"
entity set.
- _type
Required.
Do not change.
- enabled
Required.
Set to
true
.
- clientId
Required.
Specifies the provider client ID that your IdP has assigned to your application. For example,
“laakjwdlnaoiloadjkwha"
.
- clientSecret
Required.
Specifies the provider client secret. This is a token that is used by Tableau to verify the authenticity of the response from the IdP. This value is a secret and should be kept securely.
For example,
“fwahfkjaw72123="
.
- configURL
Required.
Specifies provider configuration URL. If you do not specify a configuration URL, then delete this option and specify a path and file name for
staticFile
instead.
- staticFile
Required.
Specifies the local path to the static OIDC discovery JSON document. If you do not specify a static file, then delete this option and specify a url for
configURL
instead.
- externalURL
Required.
The URL of your server. This is typically is the public name of your server, such as
http://example.tableau.com
.
- connectionTimeout
Optional.
Specifies connection timeout span in seconds. Default is
10
.
- readTimeout
Optional.
Specifies read timeout span in seconds. Default is
30
.
- ignoreDomain
Set this to
true
if the following are true:- You are using email addresses as usernames in Tableau Server
- You have provisioned users in the IdP with multiple domain names
- You want to ignore the domain name portion of the
email
claim from the IdP
Before you proceed, review the user names that will be used as a result of setting this option to
true
. User name conflicts may occur. In the case of a user name conflict, the risk of information disclosure is high. See Requirements for Using OpenID Connect.
- ignoreJWK
Set this to
true
if your IdP does not support JWK validation. In this case, we recommend authenticating communication with your IdP using mutual TLS or another network layer security protocol. Default isfalse
.
- customScope
Specifies a custom scope user-related value that you can use to query the IdP. See Requirements for Using OpenID Connect.
- idClaim
Change this value if your IdP does not use the
sub
claim to uniquely identify users in the ID token. The IdP claim that you specify should contain a single, unique string.
- usernameClaim
Change this value to the IdP claim that your organisation will use to match user names as stored in Tableau Server.
- clientAuthentication
Specifies custom client authentication method for OpenID Connect.
To configure Tableau Server to use the Salesforce IdP, set this value to
client_secret_post
.
- iFramedIDPEnabled
Set to
true
to allow IdP displayed in an iFrame. The IdP must disable clickjack protection to allow iFrame presentation.