OpenID Connect


You can configure Tableau Cloud or Tableau Cloud Manager (TCM) to support OpenID Connect (OIDC) for single sign-in (SSO). OIDC is a standard authentication protocol that lets users sign in to an identity provider (IdP) such as Google or Salesforce. After they've successfully signed in to their IdP, they are automatically signed in to Tableau Cloud or TCM.

Configuring OIDC involves several steps. The topics in this section provide general information about using Tableau Cloud or TCM with OIDC, and provide a sequence for configuring the IdP and Tableau Cloud or TCM.

To configure OIDC using the Tableau REST API, see OpenID Connect Authentication Methods(Link opens in a new window) in the Tableau REST API Help. Note: Applies to Tableau Cloud only.

Authentication overview

This section describes the OpenID Connect (OIDC) authentication process with Tableau Cloud or TCM.

1. A user attempts to log in to Tableau Cloud or TCM from a client computer.

2. Tableau Cloud redirects the request for authentication to the IdP gateway.

3. The user is prompted for credentials and successfully authenticates to the IdP. The IdP responds with a redirect URL back to Tableau Cloud or TCM. The redirect URL includes an authorization code for the user.

4. The client is redirected to Tableau Cloud or TCM and presents the authorization code.

5. Tableau Cloud or TCM presents the client's authorization code to the IdP along with its own client credentials. Tableau Cloud or TCM is also a client of the IdP. This step is intended to prevent spoofing or man-in-the-middle attacks.

6. The IdP returns an access token and an ID token to Tableau Cloud or TCM.

  • JSON Web Token (JWT) validation: By default Tableau performs a validation of the IdP JWT. During discovery, Tableau retrieves the public keys specified by the jwks_uri in the IdP configuration discovery document. Tableau validates the ID token for expiry and then verifies the JSON web signature (JWS), the issuer (IdP), and the client ID. You can learn more about the JWT process in the OIDC documentation, 10. Signatures and Encryption(Link opens in a new window), and the IETF proposed standard, JSON Web Token(Link opens in a new window). We recommend leaving JWT validation enabled, unless your Idp does not support it.

  • The ID token is a set of attribute key-pairs for the user. The key-pairs are called claims. Here is an example IdP claim for a user:

    "sub"                     : "7gYhRR3HiRRCaRcgvY50ubrtjGQBMJW4rXbpPFpg2cptHP62m2sqowM7G1LwjN5"
"email"                   : "alice@example.com",
"email_verified"          : true,
"name"                    : "Alice Adams",
"given_name"              : "Alice",
"family_name"             : "Adams",

7. Tableau Cloud or TCM identifies the user from the IdP claims and completes the authentication request from step 1. Tableau Cloud can be configured to use different claims for this process. See Requirements.

8. Tableau Cloud or TCM authorizes the user.

How Tableau works with OpenID Connect

OpenID Connect (OIDC) is a flexible protocol that supports many options for the information that's exchanged between a service provider (here, Tableau Cloud or TCM) and an IdP. The following list provides details about the Tableau Cloud and TCM implementation of OIDC. These details can help you understand what types of information Tableau Cloud or TCM sends and expects, and how to configure an IdP.

  • Tableau Cloud and TCM supports only the OpenID Authorization Code Flow as described in the OpenID Connect final specification(Link opens in a new window) in the OpenID Connect documentation.

  • Tableau Cloud and TCM relies on using discovery or a provider URL to retrieve the IdP metadata.

  • Tableau Cloud and TCM supports the client_secret_basic (default) and client_secret_post client authentication, and other parameters specified in the OpenID Connect specification. These can only be configured using the Tableau REST API.

Dynamic group membership using OIDC assertions

Note: Applies to Tableau Cloud only.

Beginning in June 2024, if OIDC authentication is configured and the capability’s setting enabled, you can dynamically control group membership through custom claims included in the JSON Web Token (JWT) sent by the identity provider (IdP).

When configured, during user authentication, the IdP sends the OIDC assertion that contains two custom group membership claims: group (https://tableau.com/groups) and group names (for example, "Group1" and "Group2") to assert the user into. Tableau validates the assertion and then enables access to the groups and the content whose permissions are dependent on those groups.

For more information, see Dynamic group membership using assertions.

Example JWK

"sub"                     : "7gYhRR3HiRRCaRcgvY50ubrtjGQBMJW4rXbpPFpg2cptHP62m2sqowM7G1LwjN5"
"email"                   : "alice@example.com",
"email_verified"          : true,
"name"                    : "Alice Adams",
"given_name"              : "Alice",
"family_name"             : "Adams",
"https://tableau.com/groups": ["Group1", "Group2"]
Back to top