This topic describes how to configure Tableau Server to use OpenID Connect for single-sign on (SSO). This is one step in a multi-step process. The following topics provide information about configuring and using OpenID Connect with Tableau Server.
-
Configure Tableau Server for OpenID Connect (you are here)
Note: Before you perform the steps described here, you must configure the OpenID identity provider (IdP) as described in Configure the Identity Provider for OpenID Connect.
-
Open TSM in a browser:
https://<tsm-computer-name>:8850. For more information, see Sign in to Tableau Services Manager Web UI.
-
Click User Identity & Access on the Configuration tab and then click Authentication Method.
-
Under Authentication Method, select OpenID Connect in the drop-down menu.
-
Under OpenID Connect, select Enable OpenID authentication for the server.
-
Enter the OpenID configuration information for your organization:
Note: If your provider relies on a configuration file hosted on the local computer (rather than a file hosted at a public URL), you can specify the file with the tsm authentication openid <commands>. Use the
--metadata-file <file_path>
option to specify a local IdP configuration file. -
Click Save Pending Changes after you've entered your configuration information.
-
Click Pending Changes at the top of the page:
-
Click Apply Changes and Restart.
The procedure in this section describes how to use TSM command line interface to configure OpenID Connect. You can also use a configuration file for the initial configuration of OpenID Connect. See openIDSettings Entity.
-
Use the
configure
command of tsm authentication openid <commands> to set the following required options:--client-id <id>
: Specifies the provider client ID that your IdP has assigned to your application. For example,“laakjwdlnaoiloadjkwha"
.--client-secret <secret>
: Specifies the provider client secret. This is a token that is used by Tableau to verify the authenticity of the response from the IdP. This value is a secret and should be kept securely. For example,“fwahfkjaw72123="
.--config-url <url>
or--metadata-file <file_path>
: Specifies location of provider configuration json file. If the provider hosts a public json discovery file, then use--config-url
. Otherwise, specify a path on the local computer and file name for--metadata-file
instead.--return-url <url>
: The URL of your server. This is typically is the public name of your server, such as"http://example.tableau.com"
.For example, run the command:
tsm authentication openid configure --client-id “laakjwdlnaoiloadjkwha" --client-secret “fwahfkjaw72123=" --config-url "https://example.com/openid-configuration" --return-url "http://tableau.example.com"
There are additional, optional configurations that you can set for Open ID Connect using either openIDSettings Entity or tsm authentication openid <commands>. In addition, if you need to configure IdP claim mapping, see Options for openid map-claims.
-
Type the following command to enable Open ID Connect:
tsm authentication openid enable
-
Run
tsm pending-changes apply
to apply changes.If the pending changes require a server restart, the
pending-changes apply
command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the--ignore-prompt
option, but this does not change the restart behavior. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.