OpenID Connect

You can configure Tableau Server to support OpenID Connect for single sign-in (SSO). OpenID Connect is a standard authentication protocol that lets users sign in to an identity provider (IdP) such as Google. After they've successfully signed in to their IdP, they are automatically signed in to Tableau Server.

Configuring OpenID Connect involves several steps. The topics in this section provide general information about using Tableau Server with OpenID Connect, and provide a sequence for configuring the IdP and Tableau Server.

Authentication overview

This section describes the OpenID Connect authentication process with Tableau Server.

Step 1: A user requests a resource on Tableau Server.

Step 2: Tableau Server redirects the request to the IdP gateway for authentication.

Step 3: The user is prompted and successfully authenticates with the IdP. The IdP responds with a redirect back to Tableau Server and an authorization code for the user in the redirect URL.

Step 4: The user passes the authorization code to Tableau Server.

Step 5: Tableau Server presents the user's authorization code back to the IdP. As an IdP client, the Tableau Server includes its own client credentials to prevent spoofing.

Step 6: The IdP returns an access token and an ID token to Tableau Server.

  • JSON Web Token (JWT) validation: By default Tableau Server performs a validation of the IdP JWT. During discovery, Tableau Server retrieves the public keys specified by the jwks_uri in the IdP configuration discovery document. Tableau Server validates the ID token for expiry and then verifies the JSON web signature (JWS), the issuer (IdP), and the client ID. You can learn more about the JWT process in the OpenID documentation, 10. Signatures and Encryption, and the IETF proposed standard, JSON Web Token. We recommend leaving JWT validation enabled, unless your Idp does not support it. Use the tsm authentication openid configure --ignore-jwk truecommand to disable validation.

  • The ID token is a set of attribute key-pairs for the user. The key-pairs are called claims. Here is an example IdP claim for a user:

    "sub"                     : "7gYhRR3HiRRCaRcgvY50ubrtjGQBMJW4rXbpPFpg2cptHP62m2sqowM7G1LwjN5"
    "email"                   : "alice@tableau.com",
    "email_verified"          : true,
    "name"                    : "Alice Adams",
    "given_name"              : "Alice",
    "family_name"             : "Adams",
    "phone_number"            : "+359 (99) 100200305",
    "profile"                 : "https://tableau.com/users/alice"			

Step 7: Tableau Server identifies the user from the IdP claim and completes the request from Step 1. Tableau Server searches the user account records stored in the respository. By default, Tableau Server will use the subject identifier, or sub, claim to identify a user account. If no user record is storing the sub claim value, then Tableau Server will search for username matches using the email claim. When a username match is found, Tableau Server will write the corresponding sub claim to the user record in the respository. You can configure Tableau Server to use different claims for this process. See Requirements for Using OpenID Connect.

Step 8: Tableau Server authorizes the user.

How Tableau Server Works with OpenID Connect

OpenID Connect is a flexible protocol that supports many options for the information that's exchanged between a service provider (here, Tableau Server) and an IdP. The following list provides details about the Tableau Server implementation of OpenID Connect. These details can help you understand what types of information Tableau Server sends and expects, and how to configure an IdP.

  • Tableau Server supports only the OpenID Authorization Code Flow as described in the OpenID Connect final specification.

  • Tableau Server relies on using discovery or a provider URL to retrieve the OpenID Provider metadata. Alternatively, you can host a static discovery document on Tableau Server. For more information see Configure Tableau Server for OpenID Connect.

  • Tableau Server supports only the client_secret_jwt Client Authentication method specified in the OpenID Connect specification. In addition, Tableau Server supports only RSA Asymmetric Encryption for handling the JWT. However, you can turn off JWT validation. See tsm authentication openid <commands>.

  • Tableau Server expects a kid value in the id_token attribute's JOSE Header. This value is matched with one of the keys found in the JWK Set document, whose URI is specified by the jwks_uri value in the OpenID discovery document. A kid value must be present even if there is only one key in the JWK Set document.

  • Tableau Server does include OpenID support for the JWK x5c parameter or for using X.509 certificates.

Thanks for your feedback! There was an error submitting your feedback. Try again or send us a message.