Configure Tableau Server for OpenID Connect
This topic describes how to configure Tableau Server to use OpenID Connect for single-sign on (SSO). This is one step in a multi-step process. The following topics provide information about configuring and using OpenID Connect with Tableau Server.
Configure Tableau Server for OpenID Connect (you are here)
Note: Before you perform the steps described here, you must configure the OpenID identity provider (IdP) as described in Configure the Identity Provider for OpenID Connect.
Open TSM in a browser:
https://<tsm-computer-name>:8850. For more information, see Sign in to Tableau Services Manager Web UI.
Click User Identity & Access on the Configuration tab and then click Authentication Method.
Under Authentication Method, select OpenID Connect in the drop-down menu.
Under OpenID Connect, select Enable OpenID authentication for the server.
Enter the OpenID configuration information for your organization:
Note: If your provider relies on a configuration file hosted on the local computer (rather than a file hosted at a public URL), you can specify the file with the tsm authentication openid <commands>. Use the
--metadata-file <file_path>option to specify a local IdP configuration file.
Click Save Pending Changes after you've entered your configuration information.
Click Pending Changes at the top of the page:
Click Apply Changes and Restart.
The procedure in this section describes how to use TSM command line interface to configure OpenID Connect. You can also use a configuration file for the initial configuration of OpenID Connect. See openIDSettings Entity.
configurecommand of tsm authentication openid <commands> to set the following required options:
--client-id <id>: Specifies the provider client ID that your IdP has assigned to your application. For example,
--client-secret <secret>: Specifies the provider client secret. This is a token that is used by Tableau to verify the authenticity of the response from the IdP. This value is a secret and should be kept securely. For example,
--metadata-file <file_path>: Specifies location of provider configuration json file. If the provider hosts a public json discovery file, then use
--config-url. Otherwise, specify a path on the local computer and file name for
--return-url <url>: The URL of your server. This is typically is the public name of your server, such as
For example, run the command:
tsm authentication openid configure --client-id “laakjwdlnaoiloadjkwha" --client-secret “fwahfkjaw72123=" --config-url "https://example.com/openid-configuration" --return-url "http://tableau.example.com"
There are additional, optional configurations that you can set for Open ID Connect using either openIDSettings Entity or tsm authentication openid <commands>. In addition, if you need to configure IdP claim mapping, see Options for openid map-claims.
Type the following command to enable Open ID Connect:
tsm authentication openid enable
tsm pending-changes applyto apply changes.
If the pending changes require a server restart, the
pending-changes applycommand will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the
--ignore-promptoption, but this does not change the restart behavior. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.