Before you configure OpenID authentication, review Requirements for Using OpenID Connect.

Use the configuration file template below to create a json file. After you have filled in the options with the appropriate values, pass the json file and apply settings with the following commands:

tsm settings import -f path-to-file.json

tsm pending-changes apply

If the pending changes require a server restart, the pending-changes apply command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behavior. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.

Configuration template

Use this template to configure OpenID settings.

Important: All entity options are case sensitive.

For more explanation about configuration files, entities, and keys see Configuration File Example.

After you have finished with the initial configuration of OIDC, use the tsm authentication openid <commands> sub-category to set additional values.

	"configEntities": {
	    "openIDSettings": {
		"_type": "openIDSettingsType",
		"enabled": true,
		"clientId": "required",
		"clientSecret": "required",
		"configURL": "required if staticFile value is not set",
		"staticFile": "required if configURL value is not set",
		"externalURL": "required"

Configuration file reference

The following list includes all of the options that can be included with the "openIDSettings" entity set.



Do not change.



Set to true.



Specifies the provider client ID that your IdP has assigned to your application. For example, “laakjwdlnaoiloadjkwha".



Specifies the provider client secret. This is a token that is used by Tableau to verify the authenticity of the response from the IdP. This value is a secret and should be kept securely.

For example, “fwahfkjaw72123=".



Specifies provider configuration URL. If you do not specify a configuration URL, then delete this option and specify a path and file name for staticFile instead.



Specifies the local path to the static OIDC discovery JSON document. If you do not specify a static file, then delete this option and specify a url for configURL instead.



The URL of your server. This is typically is the public name of your server, such as



Specifies connection timeout span in seconds. Default is 10.



Specifies read timeout span in seconds. Default is 30.


Set this to true if the following are true:

  • You are using email addresses as usernames in Tableau Server
  • You have provisioned users in the IdP with multiple domain names
  • You want to ignore the domain name portion of the email claim from the IdP

Before you proceed, review the user names that will be used as a result of setting this option to true. User name conflicts may occur. In the case of a user name conflict, the risk of information disclosure is high. See Requirements for Using OpenID Connect.


Set this to true if your IdP does not support JWK validation. In this case, we recommend authenticating communication with your IdP using mutual TLS or another network layer security protocol. Default is false.


Specifies a custom scope user-related value that you can use to query the IdP. See Requirements for Using OpenID Connect.


Change this value if your IdP does not use the subclaim to uniquely identify users in the ID token. The IdP claim that you specify should contain a single, unique string.


Change this value to the IdP claim that your organization will use to match user names as stored in Tableau Server.


Specifies custom client authentication method for OpenID Connect.

To configure Tableau Server to use the Salesforce IdP, set this value to client_secret_post.


Set to true to allow IdP displayed in an iFrame. The IdP must disable clickjack protection to allow iFrame presentation.

Thanks for your feedback!