Configure Tableau Server for OpenID Connect
This topic describes how to configure Tableau Server to use OpenID Connect (OIDC) for single-sign on (SSO). This is one step in a multi-step process. The following topics provide information about configuring and using OIDC with Tableau Server.
OpenID Connect Overview
Configure Tableau Server for OpenID Connect (you are here)
Notes:
- Before you perform the steps described here, you must configure the OpenID identity provider (IdP) as described in Configure the Identity Provider for OpenID Connect.
- The procedures described in this topic apply to OIDC authentication configured in TSM during Tableau Server setup and not OIDC authentication configured with identity pools. For more information about identity pools, see Provision and Authenticate Users Using Identity Pools.
Open TSM in a browser:
https://<tsm-computer-name>:8850. For more information, see Sign in to Tableau Services Manager Web UI.
Click User Identity & Access on the Configuration tab and then click Authentication Method.
Under Authentication Method, select OpenID Connect in the drop-down menu.
Under OpenID Connect, select Enable OpenID authentication for the server.
Enter the OpenID configuration information for your organisation:
Note: If your provider relies on a configuration file hosted on the local computer (rather than a file hosted at a public URL), you can specify the file with the tsm authentication openid <commands>. Use the
--metadata-file <file_path>
option to specify a local IdP configuration file.Click Save Pending Changes after you've entered your configuration information.
Click Pending Changes at the top of the page:
Click Apply Changes and Restart.
The procedure in this section describes how to use TSM command line interface to configure OpenID Connect. You can also use a configuration file for the initial configuration of OpenID Connect. See openIDSettings Entity.
Use the
configure
command of tsm authentication openid <commands> to set the following required options:--client-id <id>
: Specifies the provider client ID that your IdP has assigned to your application. For example,“laakjwdlnaoiloadjkwha"
.--client-secret <secret>
: Specifies the provider client secret. This is a token that is used by Tableau to verify the authenticity of the response from the IdP. This value is a secret and should be kept securely. For example,“xxxhfkjaw72123="
.--config-url <url>
or--metadata-file <file_path>
: Specifies location of provider configuration json file. If the provider hosts a public json discovery file, then use--config-url
. Otherwise, specify a path on the local computer and file name for--metadata-file
instead.--return-url <url>
: The URL of your server. This is typically is the public name of your server, such as"http://example.tableau.com"
.For example, run the command:
tsm authentication openid configure --client-id “xxxkjwdlnaoiloadjkxxx" --client-secret “xxxhfkjaw72123=" --config-url "https://example.com/openid-configuration" --return-url "http://tableau.example.com"
There are additional, optional configurations that you can set for Open ID Connect using either openIDSettings Entity or tsm authentication openid <commands>. In addition, if you need to configure IdP claim mapping, see Options for openid map-claims.
Type the following command to enable Open ID Connect:
tsm authentication openid enable
Run
tsm pending-changes apply
to apply changes.If the pending changes require a server restart, the
pending-changes apply
command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case, there is no restart. You can suppress the prompt using the--ignore-prompt
option, but this does not change the restart behaviour. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.