You can use the Security Assertion Markup Language (SAML) to authenticate users.

ThoughtSpot enables you to use the Security Assertion Markup Language (SAML) to authenticate user. You can set up SAML using the management console or through the shell on ThoughtSpot using a tscli-based configurator. It is configured to work using service provided by an Identity Provider (IDP).

Configuration prerequisites

Before you configure SAML, collect the following information:

ThoughtSpot service address
Service port
Unique service name
Skew time in seconds
IDP Metadata XML File
Automatically add SAML users to Thoughtspot
Also use ThoughtSpot internal authentication

ThoughtSpot service address

DNS name of the load balancer front-end for multi-node ThoughtSpot clusters, or of ThoughtSpot server For single-node ThoughtSpot cluster.

Service port

Service port for ThoughtSpot instance, typically TCP/443.

Unique service name

The unique key ThoughtSpot uses to identify IDP service. Set by the ThoughtSpot Support Team.

The key has the following format: urn:thoughtspot:callosum:saml.

Skew time in seconds

Allowed skew time for authentication, or the duration after authentication response is rejected and sent back from the IDP.

Usually set to 3600 seconds.

IDP Metadata XML File

This file is provided by the IDP. The absolute path to the idp-meta.xml file is needed for one-time configuration.

Automatically add SAML users to Thoughtspot: (yes/no)

If you choose ‘yes’, then new users will be automatically created in ThoughtSpot. If ‘no’, then SAML users will be added in ThoughtSpot upon first successful SSO login.

Also use ThoughtSpot internal authentication: (y/n)

If ‘y’, then ThoughtSpot local/internal users (including local administrative users) will still be authenticated outside the scope of SSO.

Configure SAML using tscli

To set up SAML on ThoughtSpot for user authentication, follow these steps:

  1. Log into the Linux shell using SSH.

  2. Run the saml configure command to launch the interactive SAML configuration:

     tscli saml configure
    
  3. Complete the configurator prompts with the information you collected in Configuration prerequisites.

  4. When the configuration completes, open a browser and navigate to the ThoughtSpot login page. It should show the SSO option.