2 Replies Latest reply on Sep 18, 2017 9:05 AM by David Bywaters

    Troubleshooting OpenID Connect

    Juha Hollanti

      I noticed that with e.g. SAML and Kerberos there's a section specifically for troubleshooting in the online help. But what about troubleshooting OpenID Connect? So far, i've tried with two different OpenID Providers, with one of them i'm getting an error message "Sign in failed" and with the other one i get "User not found".

       

      I've triple checked that the user names in the OpenID Providers are the same with the user names in Tableau. I'm also using local authentication in Tableau, instead of AD. And i've reset the openid subs when switching between OpenID Providers.

       

      I enabled debug logging for wgserver and vizportal but couldn't get any clear reason as to why the signing fails or the user is not found.

       

      Any ideas where i could look next?

       

      Also, it would be helpful to understand what kind of OpenID configuration Tableau is expecting.

        • 1. Re: Troubleshooting OpenID Connect
          Scott Wise

          I am interested in knowing which identity token field is checked for a match. I see a lot of references to the name claim, but it seems you expect this to be the email even though for most IDPs it will be a display friendly supported name and since it is optional it might now be provided.

          • 2. Re: Troubleshooting OpenID Connect
            David Bywaters

            I'm having similar problems... I know this is an old thread but did you get this issue resolved?  Could you help with the question below?

             

            User accounts are matched between the Identity Provider and Tableau by comparing the Tableau user's Username with the Identity Provider user's email claim.  This is documented here:

             

            Requirements for Using OpenID Connect

            ... so essentially, the usernames in Tableau need to be the email addresses of the users in the Identity Provider.

             

            However, this isn't working for all users - it seems that my Tableau server has been setup with the name of my domain somewhere in it's configuration and any email addresses that end in this domain name (e.g. bob@my-domain.com) won't login.  I simply get the following in the log file:

             

            DEBUG com.tableausoftware.model.workgroup.auth.LoginAppService - Attempting openid connect login. No specific site provided.

            ...

            DEBUG com.tableausoftware.domain.user.openid.OpenIDConnectHelper - username claim not found in ID Token, attempting to retrieve claim from UserInfo Endpoint

            ...

            DEBUG com.tableausoftware.domain.user.openid.OpenIDConnectHelper - Login attempt. No matching account was found for email: bob@my-domain.com or sub: xxxxxxxxxxxxxxxxxxx

             

            However, user's with different domain names can login OK.

             

            Any ideas how to get the logging in to work for the user's of my domain?