OpenID Connect

You can configure Tableau Server to support OpenID Connect (OIDC) for single sign-in (SSO). OIDC is a standard authentication protocol that lets users sign in to an identity provider (IdP) such as Google or Salesforce. After they've successfully signed in to their IdP, they are automatically signed in to Tableau Server.

Configuring OIDC involves several steps. The topics in this section provide general information about using Tableau Server with OIDC, and provide a sequence for configuring the IdP and Tableau Server.

Note: Unless otherwise noted, information about OIDC authentication applies to both OIDC authentication configured in TSM during Tableau Server setup or OIDC authentication configured with identity pools(Link opens in a new window).

Authentication overview

This section describes the OpenID Connect (OIDC) authentication process with Tableau Server.

1. A user attempts to log in to Tableau Server from a client computer.

2. Tableau Server redirects the request for authentication to the IdP gateway.

3. The user is prompted for credentials and successfully authenticates to the IdP. The IdP responds with a redirect URL back to Tableau Server. The redirect URL includes an authorization code for the user.

4. The client is redirected to Tableau Server and presents the authorization code.

5. Tableau Server presents the client's authorization code to the IdP along with its own client credentials. Tableau Server is also a client of the IdP. This step is intended to prevent spoofing or man-in-the-middle attacks.

6. The IdP returns an access token and an ID token to Tableau Server.

  • JSON Web Token (JWT) validation: By default Tableau Server performs a validation of the IdP JWT. During discovery, Tableau Server retrieves the public keys specified by the jwks_uri in the IdP configuration discovery document. Tableau Server validates the ID token for expiry and then verifies the JSON web signature (JWS), the issuer (IdP), and the client ID. You can learn more about the JWT process in the OpenID documentation, 10. Signatures and Encryption(Link opens in a new window), and the IETF proposed standard, JSON Web Token(Link opens in a new window). We recommend leaving JWT validation enabled, unless your Idp does not support it.

  • The ID token is a set of attribute key-pairs for the user. The key-pairs are called claims. Here is an example IdP claim for a user:

    "sub"                     : "7gYhRR3HiRRCaRcgvY50ubrtjGQBMJW4rXbpPFpg2cptHP62m2sqowM7G1LwjN5"
    "email"                   : "alice@example.com",
    "email_verified"          : true,
    "name"                    : "Alice Adams",
    "given_name"              : "Alice",
    "family_name"             : "Adams",
    "phone_number"            : "+359 (99) 100200305",
    "profile"                 : "https://tableau.com/users/alice"		

7. Tableau Server identifies the user from the IdP claims and completes the authentication request from step 1. Tableau Server searches for the user's account record stored in the repository by matching the "sub" (subject identifier) to identify the correct user account. If no user account is stored with the sub claim value, then Tableau Server searches for a username in the repository that matches the "email" claim from the IdP. When a username match succeeds, Tableau Server will store the corresponding sub claim to the user's record in the repository. Tableau Server can be configured to use different claims for this process. See Requirements for Using OpenID Connect.

8. Tableau Server authorizes the user.

How Tableau Server works with OpenID Connect

OpenID Connect (OIDC) is a flexible protocol that supports many options for the information that's exchanged between a service provider (here, Tableau Server) and an IdP. The following list provides details about the Tableau Server implementation of OIDC. These details can help you understand what types of information Tableau Server sends and expects, and how to configure an IdP.

  • Tableau Server supports only the OpenID Authorization Code Flow as described in the OpenID Connect final specification(Link opens in a new window) in the OpenID Connect documentation.

  • Tableau Server relies on using discovery or a provider URL to retrieve the OpenID provider metadata. Alternatively, you can host a static discovery document on Tableau Server. For more information see Configure Tableau Server for OpenID Connect.

  • Tableau Server supports the client_secret_basic and client_secret_post client authentication.

  • Tableau Server expects a kid value in the id_token attribute's JOSE Header. This value is matched with one of the keys found in the JWK Set document, whose URI is specified by the jwks_uri value in the OpenID discovery document. A kid value must be present even if there is only one key in the JWK Set document.

  • Tableau Server does include OpenID support for the JWK x5c parameter or for using X.509 certificates.

  • By default, Tableau Server ignores proxy settings and sends all OpenID requests directly to the IdP.

    If Tableau Server is configured to use a forward proxy to connect to the internet, then you must make additional changes as described in Configure Tableau Server for OpenID Connect.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!