This topic describes how to configure Tableau Server to use OpenID Connect for single-sign on (SSO). This is one step in a multi-step process. The following topics provide information about configuring and using OpenID Connect with Tableau Server.

Note: Before you perform the steps described here, you must configure the OpenID identity provider (IdP) as described in Configure the Identity Provider for OpenID Connect.

  1. Open TSM in a browser:

    https://<tsm-computer-name>:8850. For more information, see Sign in to Tableau Services Manager Web UI.

  2. Click User Identity & Access on the Configuration tab and then click Authentication Method.

  3. Under Authentication Method, select OpenID Connect in the drop-down menu.

  4. Under OpenID Connect, select Enable OpenID authentication for the server.

  5. Enter the OpenID configuration information for your organization:

    Configure OpenID screenshot

    Note: If your provider relies on a configuration file hosted on the local computer (rather than a file hosted at a public URL), you can specify the file with the tsm authentication openid <commands>. Use the --metadata-file <file_path> option to specify a local IdP configuration file.

  6. Click Save Pending Changes after you've entered your configuration information.

  7. Click Pending Changes at the top of the page:

  8. Click Apply Changes and Restart.

The procedure in this section describes how to use TSM command line interface to configure OpenID Connect. You can also use a configuration file for the initial configuration of OpenID Connect. See openIDSettings Entity.

  1. Use the configure command of tsm authentication openid <commands> to set the following required options:

    --client-id <id>: Specifies the provider client ID that your IdP has assigned to your application. For example, “laakjwdlnaoiloadjkwha".

    --client-secret <secret>: Specifies the provider client secret. This is a token that is used by Tableau to verify the authenticity of the response from the IdP. This value is a secret and should be kept securely. For example, “fwahfkjaw72123=".

    --config-url <url> or --metadata-file <file_path>: Specifies location of provider configuration json file. If the provider hosts a public json discovery file, then use --config-url. Otherwise, specify a path on the local computer and file name for --metadata-file instead.

    --return-url <url>: The URL of your server. This is typically is the public name of your server, such as "".

    For example, run the command:

    tsm authentication openid configure --client-id “laakjwdlnaoiloadjkwha" --client-secret “fwahfkjaw72123=" --config-url "" --return-url ""

    There are additional, optional configurations that you can set for Open ID Connect using either openIDSettings Entity or tsm authentication openid <commands>. In addition, if you need to configure IdP claim mapping, see Options for openid map-claims.

  2. Type the following command to enable Open ID Connect:

    tsm authentication openid enable

  3. Run tsm pending-changes apply to apply changes.

    If the pending changes require a server restart, the pending-changes apply command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behavior. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.

Thanks for your feedback!