Troubleshoot OpenID Connect

Use the following topics to troubleshoot OpenID Connect (OIDC) issues in Tableau Server.

OIDC protocol is supported by many identity providers. The OIDC protocol is an open and flexible standard, and as such, not all implementations of the standard are identical. Most issues that administrators encounter when configuring Tableau Server for OIDC are the result of how different identity providers implement OIDC. If you encounter errors as you set up OIDC with Tableau Server, we recommend that you work with your IdP to resolve them.

Enabling enhanced OpenID logging

To efficiently troubleshoot OpenID Connect issues in Tableau Server, enable enhanced logging by setting the logging level to debug, and full logging for OpenID using the vizportal.openid.full_server_request_logging_enabled configuration key to true using these TSM commands:

tsm configuration set -k vizportal.log.level -v debug

tsm configuration set -k vizportal.openid.full_server_request_logging_enabled -v true

tsm pending-changes apply

After completing your troubleshooting, we recommend setting the values of both configuration keys back to their defaults to limit the information collected in logs and to reduce log file sizes. For details on resetting configuration keys to defaults, see Resetting a configuration key to default.

Note: Enhanced logging for identity pools(Link opens in a new window) isn’t supported. However, vizportal.log.level debug logging is supported.

Signing in from the command line

Even if Tableau Server is configured to use OIDC, it isn’t used if you sign in to Tableau Server using tabcmd, the Tableau REST API(Link opens in a new window), or the Tableau Data Extract command line utility(Link opens in a new window) (provided with Tableau Desktop).

Login failed

Login can fail with the following message:

Login failure: Identity Provider authentication unsuccessful for user <username from IdP>. Failed to find the user in Tableau Cloud.

This error typically means that there’s a mismatch between a username stored in Tableau Server and the username provided by the IdP. To fix this, make sure that they match. For example, if Jane Smith's username is stored in the IdP as jsmith it must be stored in Tableau Server as jsmith as well.

Error 69: "Unable to Sign In"

An error 69 might be returned when you attempt to sign in to Tableau Server with a web browser and receive an error, "Unable to Sign In. Sign in failed. Contact your Tableau Server administrator." The URL that returns this message is https://example.com/#/error/signin/69?redirectPath=%2.

If you receive this error, check with your IDP provider to verify if the IdP is expecting client_secret_post instead of client_secret_basic (the Tableau default).

If the IdP is expecting client_secret_post, then you must set the vizportal.openid.client_authentication parameter to client_secret_post.

For example, if you receive this error and you have configured OIDC for the Salesforce IdP, then you must set the vizportal.openid.client_authentication parameter.

See tsm configuration set Options for more information.

OpenID error log

OpenID authentication takes place outside Tableau Server, so troubleshooting authentication issues can be difficult. However, sign-in attempts are logged by Tableau Server. You can create a snapshot of log files and use them to troubleshoot problems. For more information, see Tableau Server Logs and Log File Locations.

Note: To log OpenID-related events, vizportal.log.level must be set to debug with tsm configuration set Options.

Check for OpenID errors in the following files in the unzipped log file snapshot:

\vizportal\vizportal-<n>.log

User not found

An error "user not found" might be returned if the "sub" claims have changed after initial login of users. You can verify this issue if you see the following in the vizportal logs: Possible conflicting or stale account: <username> A different user already owns this account.

If you continue to see this issue, reset the "sub" claims for that user or for all users on Tableau Server. For more information, see Reset user identifiers.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!