Configure Tableau Server for OpenID Connect
This topic describes how to configure Tableau Server to use OpenID Connect for single-sign on (SSO). This is one step in a multi-step process. The following topics provide information about configuring and using OpenID Connect with Tableau Server.
Configure Tableau Server for OpenID Connect (you are here)
Note: Before you perform the steps described here, you must configure the OpenID identity provider (IdP) as described in Configure the Identity Provider for OpenID Connect.
Open TSM in a browser:
https://<tsm-computer-name>:8850. For more information, see Sign in to Tableau Services Manager Web UI.
Click User Identity & Access on the Configuration tab and then click Authentication Method.
Under Authentication Method, select OpenID Connect in the drop-down menu.
Under OpenID Connect, select Enable OpenID authentication for the server.
Enter the OpenID configuration information for your organization:
Note: If your provider relies on a configuration file hosted on the local computer (rather than a file hosted at a public URL), you can specify the file with the tsm authentication openid <commands>. Use the
--metadata-file <file_path>option to specify a local IdP configuration file.
Click Save Pending Changes after you've entered your configuration information.
Click Pending Changes at the top of the page:
Click Apply Changes and Restart.
The procedure in this section describes how to use TSM command line interface to configure OpenID Connect. You can also use a configuration file for the initial configuration of OpenID Connect. See openIDSettings Entity.
configurecommand of tsm authentication openid <commands> to set the following required options:
--client-id <id>: Specifies the provider client ID that your IdP has assigned to your application. For example,
--client-secret <secret>: Specifies the provider client secret. This is a token that is used by Tableau to verify the authenticity of the response from the IdP. This value is a secret and should be kept securely. For example,
--metadata-file <file_path>: Specifies location of provider configuration json file. If the provider hosts a public json discovery file, then use
--config-url. Otherwise, specify a path on the local computer and file name for
--return-url <url>: The URL of your server. This is typically is the public name of your server, such as
For example, run the command:
tsm authentication openid configure --client-id “laakjwdlnaoiloadjkwha" --client-secret “fwahfkjaw72123=" --config-url "https://example.com/openid-configuration" --return-url "http://tableau.example.com"
There are additional, optional configurations that you can set for Open ID Connect using either openIDSettings Entity or tsm authentication openid <commands>. In addition, if you need to configure IdP claim mapping, see Options for openid map-claims.
Type the following command to enable Open ID Connect:
tsm authentication openid enable
tsm pending-changes applyto apply changes.
pending-changes applycommand displays a prompt to let you know this will restart Tableau Server if the server is running. The prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the
--ignore-promptoption, but this does not change the restart behavior. For more information, see tsm pending-changes apply.