Tableau Server OpenID SSO integration with Azure AD B2C for seamless iframe authentication

  • Configure Azure AD B2C as an Identity Provider (IdP) for Tableau, by leveraging OIDC auth protocol. (Note: if you wish to use SAML instead, have a look at this excellent post by Andrija)
  • Enable seamless iframe SSO embedding (NB: Azure has been known to block any sort of in-frame authentication flows, but now with just a couple of lines of code you can define a custom CSP policy in B2C that allows for such for your trusted domains. This new feature was still in public preview at the time of this writing).
  • Learn the tools of the trade on how troubleshoot integration issues between Tableau and OIDC IdPs

Demo of the finished solution


  1. Tableau Server installed and running on HTTPS. You can even use a self-signed SSL certificate (check my other post if you need help to create it). Take note of your <your-tableau-server-hostname> (e.g.
  2. Admin access to both Tableau Server GUI and its VM/container
  3. Tableau Log Viewer installed (for troubleshooting config issues)
  4. Create an Azure AD B2C tenant that is linked to your Azure subscription and take note of the tenant-name

Azure AD B2C config

<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" />
<UserJourneyBehaviors><JourneyFraming Enabled="true" Sources="https://<your-tenant-name> https://<your-tableau-server-hostname>" /></UserJourneyBehaviors>
a. TrustFrameworkBase.xmlb. TrustFrameworkLocalization.xmlc. TrustFrameworkExtensions.xmld. SignUpOrSignin.xmle. ProfileEdit.xmlf. PasswordReset.xml

Tableau Server OpenID config:

tsm authentication openid configure --client-id <B2c-Tableau-App-ClientID> --client-secret <B2c-Tableau-App-Secret> --config-url <B2c-OpenID-UrL> --return-url <Tableau-Return-UrL>
<B2c-Tableau-App-ClientID> = see step 2<B2c-Tableau-App-Secret> = see step 3<B2c-OpenID-UrL> =  https://<tenant-name><tenant-name><b2c-signin-policyname>/v2.0/.well-known/openid-configuration<b2c-signin-policyname> = B2C_1A_SIGNUP_SIGNIN<Tableau-Return-UrL> = TableauServerHostName, e.g.
tsm configuration set –k wgserver.openid.iframed_idp.enabled -v true
tsm configuration set -k vizportal.openid.client_authentication -v client_secret_post
tsm authentication openid configure --custom-scope-name “openid <B2c-Tableau-App-ClientID>”
tsm authentication openid enable
tsm pending-changes apply
SPA app and Tableau Embedded with iframe SSO auth. Both leveraging the same OpenID IdP (Azure AD B2c)


tsm configuration set -k vizportal.log.level -v debugtsm configuration set -k vizportal.openid.full_server_request_logging_enabled -v true
  • Open the following file: C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizportal\vizportal_node1–0.log
  • Set to Live
  • Set Highligh Only Mode, on string: openid




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

100 Wikipedia Articles on Software Product Development (and Related Disciplines)

That time a dormant bug came alive and everything went wrong at the same time

Paper Or Diamond? How Agile is Your Team?

Creating the Right Environment

How I Would Design… YouTube or Netflix!

How Airbnb Supports Co-Hosting

Understanding Handler and Looper in Android

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alex Eskinasy

Alex Eskinasy

Data Geek

More from Medium

Azure DevOps and Jenkins pipelines — what is missing

API Management — Azure vs Mulesoft

Securing your Azure Functions App with API Management

Benefits of Open API — Introduction and validation (Part 1 of 2)