ThoughtSpot can use Security Assertion Markup Language (SAML) to authenticate
users. You can set up SAML through the shell on the ThoughtSpot instance using a
tscli based configurator.
Before configuring SAML, you need this information:
- Domain name for ThoughtSpot service (E.g. -
- Port of the server where your ThoughtSpot instance is running (E.g. -
- Protocol, or the authentication mechanism for ThoughtSpot (E.g. -
- Unique service name that is used as the unique key by IDP to identify the client (E.g. -
urn:thoughtspot:callosum:saml). You may know this as the Entity ID.
- Allowed skew time, which is the time after authentication response is rejected and sent back from the IDP.
86400is a popular choice.
- The absolute path to the identity provider’s metadata file. Typically called
idp-meta.xmlor similar. This is needed so that the configuration persists over upgrades. Best to set it up on persistent/HA storage (NAS volumes) else in the same absolute path on all nodes in the cluster. If your IDP needs an Assertion Consumer Service URL to create the metadata file, use
- ThoughtSpot’s metadata file,
spring_saml_metadata.xml. To download this file, navigate to
https://<hostname-or-IP>/callosum/v1/saml/metadata. The file automatically downloads.
- This configurator also checks with the user if internal authentication needs to be set or not. This internal authentication mechanism is used to authenticate
tsadminand other ThoughtSpot local users. Set it to true by default to let local system/admin users in via the frontend.
Use this procedure to set up SAML on ThoughtSpot for user authentication. Note that this configuration persists across software updates, so you do not have to reapply it if you update to a newer release of ThoughtSpot.
- Log in to the Linux shell using SSH.
Execute the command to launch the interactive SAML configuration:
tscli saml configure
- Complete the configurator prompts with the information and files you gathered above.
- When the configuration is complete, open a Web browser and go to the ThoughtSpot login page. It should now show the Single Sign On option.