4 Replies Latest reply on Dec 6, 2018 6:03 AM by Dinesh Pilla

    Troubleshooting OpenID Connect

    Juha Hollanti

      I noticed that with e.g. SAML and Kerberos there's a section specifically for troubleshooting in the online help. But what about troubleshooting OpenID Connect? So far, i've tried with two different OpenID Providers, with one of them i'm getting an error message "Sign in failed" and with the other one i get "User not found".


      I've triple checked that the user names in the OpenID Providers are the same with the user names in Tableau. I'm also using local authentication in Tableau, instead of AD. And i've reset the openid subs when switching between OpenID Providers.


      I enabled debug logging for wgserver and vizportal but couldn't get any clear reason as to why the signing fails or the user is not found.


      Any ideas where i could look next?


      Also, it would be helpful to understand what kind of OpenID configuration Tableau is expecting.

        • 1. Re: Troubleshooting OpenID Connect
          Scott Wise

          I am interested in knowing which identity token field is checked for a match. I see a lot of references to the name claim, but it seems you expect this to be the email even though for most IDPs it will be a display friendly supported name and since it is optional it might now be provided.

          • 2. Re: Troubleshooting OpenID Connect
            David Bywaters

            I'm having similar problems... I know this is an old thread but did you get this issue resolved?  Could you help with the question below?


            User accounts are matched between the Identity Provider and Tableau by comparing the Tableau user's Username with the Identity Provider user's email claim.  This is documented here:


            Requirements for Using OpenID Connect

            ... so essentially, the usernames in Tableau need to be the email addresses of the users in the Identity Provider.


            However, this isn't working for all users - it seems that my Tableau server has been setup with the name of my domain somewhere in it's configuration and any email addresses that end in this domain name (e.g. bob@my-domain.com) won't login.  I simply get the following in the log file:


            DEBUG com.tableausoftware.model.workgroup.auth.LoginAppService - Attempting openid connect login. No specific site provided.


            DEBUG com.tableausoftware.domain.user.openid.OpenIDConnectHelper - username claim not found in ID Token, attempting to retrieve claim from UserInfo Endpoint


            DEBUG com.tableausoftware.domain.user.openid.OpenIDConnectHelper - Login attempt. No matching account was found for email: bob@my-domain.com or sub: xxxxxxxxxxxxxxxxxxx


            However, user's with different domain names can login OK.


            Any ideas how to get the logging in to work for the user's of my domain?

            • 3. Re: Troubleshooting OpenID Connect
              Stanislaw Kuczynski

              You need to remap claims to sub  like :

              tsm authentication openid map-claims -un sub

              then your outside user defiend with id (this is sub) will be mapped with tableau user with the sub , not with email

              • 4. Re: Troubleshooting OpenID Connect
                Dinesh Pilla

                Hey, I can see that it is an open issue in the older versions of Tableau. It basically throws an error code 69 when we try to access the tableau server from a web browser. It is later corrected in the newer versions 10.5.4.

                Please find the link,