OpenID Connect

You can configure Tableau Server to support OpenID Connect for single sign-in (SSO). OpenID Connect is a standard authentication protocol that lets users sign in to an identity provider (IdP) such as Google. After they've successfully signed in to their IdP, they are automatically signed in to Tableau Server.

Configuring OpenID Connect involves several steps. The topics in this section provide general information about using Tableau Server with OpenID Connect, and provide a sequence for configuring the IdP and Tableau Server.

Authentication overview

This section describes the OpenID Connect authentication process with Tableau Server.

Step 1: A user attempts to log in to Tableau Server from a client computer.

Step 2: Tableau Server redirects the request for authentication to the IdP gateway.

Step 3: The user is prompted for credentials and successfully authenticates to the IdP. The IdP responds with a redirect URL back to Tableau Server. The redirect URL includes an authorization code for the user.

Step 4: The client is redirected to Tableau Server and presents the authorization code.

Step 5: Tableau Server presents the client's authorization code to the IdP along with its own client credentials. Tableau Server is also client of the IdP. This step is intended to prevent spoofing or man-in-the-middle attacks.

Step 6: The IdP returns an access token and an ID token to Tableau Server.

  • JSON Web Token (JWT) validation: By default Tableau Server performs a validation of the IdP JWT. During discovery, Tableau Server retrieves the public keys specified by the jwks_uri in the IdP configuration discovery document. Tableau Server validates the ID token for expiry and then verifies the JSON web signature (JWS), the issuer (IdP), and the client ID. You can learn more about the JWT process in the OpenID documentation, 10. Signatures and Encryption(Link opens in a new window), and the IETF proposed standard, JSON Web Token(Link opens in a new window). We recommend leaving JWT validation enabled, unless your Idp does not support it.

  • The ID token is a set of attribute key-pairs for the user. The key-pairs are called claims. Here is an example IdP claim for a user:

    "sub"                     : "7gYhRR3HiRRCaRcgvY50ubrtjGQBMJW4rXbpPFpg2cptHP62m2sqowM7G1LwjN5"
    "email"                   : "alice@tableau.com",
    "email_verified"          : true,
    "name"                    : "Alice Adams",
    "given_name"              : "Alice",
    "family_name"             : "Adams",
    "phone_number"            : "+359 (99) 100200305",
    "profile"                 : "https://tableau.com/users/alice"			

Step 7: Tableau Server identifies the user from the IdP claims and completes the authentication request from Step 1. Tableau Server searches for the user's account record stored in the repository by matching the "sub" (subject identifier) to identify the correct user account. If no user account is stored with the sub claim value, then Tableau Server searches for a username in the repository that matches the "email" claim from the IdP. When a username match succeeds, Tableau Server will store the corresponding sub claim to the user's record in the repository. Tableau Server can be configured to use different claims for this process. See Requirements for Using OpenID Connect.

Step 8: Tableau Server authorizes the user.

How Tableau Server Works with OpenID Connect

OpenID Connect is a flexible protocol that supports many options for the information that's exchanged between a service provider (here, Tableau Server) and an IdP. The following list provides details about the Tableau Server implementation of OpenID Connect. These details can help you understand what types of information Tableau Server sends and expects, and how to configure an IdP.

  • Tableau Server supports only the OpenID Authorization Code Flow as described in the OpenID Connect final specification(Link opens in a new window).

  • Tableau Server relies on using discovery or a provider URL to retrieve the OpenID Provider metadata. Alternatively, you can host a static discovery document on Tableau Server. For more information see Configure Tableau Server for OpenID Connect.

  • Tableau Server supports only the client_secret_jwt Client Authentication method specified in the OpenID Connect specification. In addition, Tableau Server supports only RSA Asymmetric Encryption for handling the JWT. However, you can turn off JWT validation. See tsm authentication openid <commands>.

  • Tableau Server expects a kid value in the id_token attribute's JOSE Header. This value is matched with one of the keys found in the JWK Set document, whose URI is specified by the jwks_uri value in the OpenID discovery document. A kid value must be present even if there is only one key in the JWK Set document.

  • Tableau Server does include OpenID support for the JWK x5c parameter or for using X.509 certificates.

  • Tableau Server ignores the proxy settings configured on the operating system and sends all OpenID requests directly to the IdP. You cannot configure OpenID to honor local operating system proxy settings. Tableau Server must be able to communicate with the internet.

Thanks for your feedback!