The redirection URI (also known as the callback URL) is a fundamental and security-critical component of the OpenID Connect (OIDC) authentication flow. The Identity Provider (IdP) uses this URI to send the user back to the relying party (Tableau Server) with an authorization code after successful authentication. For security reasons, the IdP will only redirect to URIs that have been pre-registered. A mismatch between the redirecturi value sent by Tableau Server in the authentication request and the value registered with the IdP is one of the most common configuration errors, causing the IdP to reject the request and fail the login process.

A. The load balancing configuration of the Tableau Server: While a misconfigured load balancer can cause connectivity issues, it is a general infrastructure problem, not a specific OIDC protocol configuration error.

C. The encryption strength of the SSL certificate on the Tableau Server: A valid and trusted SSL certificate is a prerequisite for OIDC, but its specific encryption strength is not a common cause of integration failure, assuming it meets modern standards.

D. The storage capacity on the Tableau Server for caching user tokens: This is a general server resource issue. Insufficient storage would cause broader system failures, not a specific failure of the initial OIDC authentication handshake.

1. Tableau Server Documentation: In the "Configure OpenID Connect" guide

Tableau specifies the exact format for the provider redirect URL. The troubleshooting section implicitly points to verifying this configuration. It states

"The provider redirect URL is used by the IdP to redirect users back to Tableau Server. For example

http://tableauserver/vizportal/api/web/v1/auth/openIdLogin." A mismatch here is a primary failure point.

Source: Tableau Server Help

"OpenID Connect

" Section: "Configure OpenID Connect."

2. OpenID Connect Core 1.0 Specification: The official protocol specification defines the redirecturi as a required parameter in the Authentication Request. It mandates an exact match with a pre-registered value for the client.

Source: OpenID Foundation

"OpenID Connect Core 1.0 incorporating errata set 1

" Section 3.1.2.1. "Authentication Request

" redirecturi parameter description.

3. University Courseware (MIT): In lectures on web application security and authentication protocols like OAuth 2.0 (which OIDC is built upon)

the redirecturi is highlighted as a critical security parameter that must be exact-matched to prevent token theft and replay attacks. Misconfiguration is a common implementation flaw.

Source: MIT OpenCourseWare

6.858 Computer Systems Security

Fall 2014

Lecture 17: "Web Security

" discussion on OAuth 2.0 vulnerabilities.