Configure Tableau Server for OpenID Connect


This topic describes how to configure Tableau Server to use OpenID Connect (OIDC) for single-sign on (SSO). This is one step in a multi-step process. The following topics provide information about configuring and using OIDC with Tableau Server.

  1. OpenID Connect Overview

  2. Configure the Identity Provider for OpenID Connect

  3. Configure Tableau Server for OpenID Connect (you are here)

  4. Signing In to Tableau Server Using OpenID Connect

Notes:

  1. Open TSM in a browser:

    https://<tsm-computer-name>:8850. For more information, see Sign in to Tableau Services Manager Web UI.

  2. Click User Identity & Access on the Configuration tab and then click Authentication Method.

  3. Under Authentication Method, select OpenID Connect in the drop-down menu.

  4. Under OpenID Connect, select Enable OpenID authentication for the server.

  5. Enter the OpenID configuration information for your organization:

    Configure OpenID screenshot

    Notes:

    • For Step 3: If your provider relies on a configuration file hosted on the local computer (rather than a file hosted at a public URL), you can specify the file with the tsm authentication openid <commands>. Use the --metadata-file <file_path> option to specify a local IdP configuration file.

    • For Step 4: Beginning in Tableau Server 2025.3, you can enable single logout and specify a URL to redirect your users to after being signed out.

  6. Click Save Pending Changes after you've entered your configuration information.

  7. Click Pending Changes at the top of the page:

    Tableau Server Manager toolbar indicating that there are pending changes.

  8. Click Apply Changes and Restart.

The procedure in this section describes how to use TSM command line interface to configure OpenID Connect. You can also use a configuration file for the initial configuration of OpenID Connect. See openIDSettings Entity.

  1. Use the configure command of tsm authentication openid <commands> to set the following required options:

    • --client-id <id>: Specifies the provider client ID that your IdP has assigned to your application. For example, “xxxkjwdlnaoiloadjkwha".

    • --client-secret <secret>: Specifies the provider client secret. This is a token that is used by Tableau to verify the authenticity of the response from the IdP. This value is a secret and should be kept securely. For example, “xxxhfkjaw72123=".

    • --config-url <url> or --metadata-file <file_path>: Specifies location of provider configuration json file. If the provider hosts a public JSON discovery file, then use --config-url. Otherwise, specify a path on the local computer and file name for --metadata-file instead.

    • --return-url <url>: The URL of your server. This is typically the public name of your server, such as "http://example.tableau.com".

    For example, run the command:

    tsm authentication openid configure --client-id “xxxkjwdlnaoiloadjkwha" --client-secret “xxxhfkjaw72123=" --config-url "https://example.com/openid-configuration" --return-url "http://tableau.example.com"

    Note: 

  2. Type the following command to enable Open ID Connect:

    tsm authentication openid enable

  3. Run tsm pending-changes apply to apply changes.

    If the pending changes require a server restart, the pending-changes apply command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behavior. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.

Back to top
Thanks for your feedback!Your feedback has been successfully submitted. Thank you!