Configure Tableau Server for OpenID Connect

This topic describes how to configure Tableau Server to use OpenID Connect (OIDC) for single-sign on (SSO). This is one step in a multi-step process. The following topics provide information about configuring and using OIDC with Tableau Server.

  1. OpenID Connect Overview

  2. Configure the Identity Provider for OpenID Connect

  3. Configure Tableau Server for OpenID Connect (you are here)

  4. Signing In to Tableau Server Using OpenID Connect

Notes:

  1. Open TSM in a browser:

    https://<tsm-computer-name>:8850. For more information, see Sign in to Tableau Services Manager Web UI.

  2. Click User Identity & Access on the Configuration tab and then click Authentication Method.

  3. Under Authentication Method, select OpenID Connect in the drop-down menu.

  4. Under OpenID Connect, select Enable OpenID authentication for the server.

  5. Enter the OpenID configuration information for your organization:

    Configure OpenID screenshot

    Note: If your provider relies on a configuration file hosted on the local computer (rather than a file hosted at a public URL), you can specify the file with the tsm authentication openid <commands>. Use the --metadata-file <file_path> option to specify a local IdP configuration file.

  6. Click Save Pending Changes after you've entered your configuration information.

  7. Click Pending Changes at the top of the page:

  8. Click Apply Changes and Restart.

The procedure in this section describes how to use TSM command line interface to configure OpenID Connect. You can also use a configuration file for the initial configuration of OpenID Connect. See openIDSettings Entity.

  1. Use the configure command of tsm authentication openid <commands> to set the following required options:

    --client-id <id>: Specifies the provider client ID that your IdP has assigned to your application. For example, “laakjwdlnaoiloadjkwha".

    --client-secret <secret>: Specifies the provider client secret. This is a token that is used by Tableau to verify the authenticity of the response from the IdP. This value is a secret and should be kept securely. For example, “xxxhfkjaw72123=".

    --config-url <url> or --metadata-file <file_path>: Specifies location of provider configuration json file. If the provider hosts a public json discovery file, then use --config-url. Otherwise, specify a path on the local computer and file name for --metadata-file instead.

    --return-url <url>: The URL of your server. This is typically is the public name of your server, such as "http://example.tableau.com".

    For example, run the command:

    tsm authentication openid configure --client-id “xxxkjwdlnaoiloadjkxxx" --client-secret “xxxhfkjaw72123=" --config-url "https://example.com/openid-configuration" --return-url "http://tableau.example.com"

    There are additional, optional configurations that you can set for Open ID Connect using either openIDSettings Entity or tsm authentication openid <commands>. In addition, if you need to configure IdP claim mapping, see Options for openid map-claims.

  2. Type the following command to enable Open ID Connect:

    tsm authentication openid enable

  3. Run tsm pending-changes apply to apply changes.

    If the pending changes require a server restart, the pending-changes apply command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behavior. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.

Configure OpenID to work with a forward proxy

By default, Tableau Server ignores proxy settings and sends all OpenID requests directly to the IdP.

Beginning with Tableau Server 2021.2.2 and newer, if Tableau is configured to use a forward proxy to connect to the internet, then you may configure Tableau Server to use the proxy host and port settings to contact the OpenID IdP.

How you configure Tableau Server is different depending on how you have implemented forward proxy in your organization:

  • Forward proxy is configured on the Windows computer where Tableau Server is running.
  • Tableau Server sends all outbound traffic directly to a forward proxy server running in your organization.

Windows system proxy configuration

If your organization has configured forward proxy on each Windows computer use this method to use the system proxy configuration for OpenID onTableau Server. Run the following commands:

tsm configuration set -k tomcat.useSystemProxies -v true
tsm pending-changes apply

Forward proxy server

Use the command, tsm configuration set, to make the changes.

  • For HTTPS proxy hosts, use the following key-value pairs:

    -k tomcat.https.proxyHost -v host.domain

    -k tomcat.https.proxyPort -v port_number

    For example, if your proxy server is at https://proxy.example.lan:8443, then run the following commands:

    tsm configuration set -k tomcat.https.proxyHost -v proxy.example.lan
    tsm configuration set -k tomcat.https.proxyPort -v 8443
    tsm pending-changes apply
  • For HTTP proxy hosts, use the following key-value pairs:

    -k tomcat.http.proxyHost -v host.domain

    -k tomcat.http.proxyPort -v port_number

    After you have set these keys, run tsm pending-changes apply.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!