ThoughtSpot enables you to use the Security Assertion Markup Language (SAML) to authenticate users. You can set up SAML through the shell on ThoughtSpot using a
tscli-based configurator. It is configured to work using service provided by an Identity Provider (IdP).
Popular Identity Providers that ThoughtSpot supports include Okta, Azure Active Directory, PingFederate, Microsoft AD FS, and Onelogin. This is not an exhaustive list. To determine if ThoughtSpot supports your preferred IdP, talk to your ThoughtSpot contact.
After you complete the SAML configuration in ThoughtSpot that this article describes, refer to your Identity Provider’s SAML documentation for specific information on setting up SAML with that IdP.
Before you configure SAML, collect the following information:
|❏||ThoughtSpot service address|
|❏||Unique service name|
|❏||Skew time in seconds|
|❏||IDP Metadata XML File|
|❏||Automatically add SAML users to Thoughtspot|
|❏||Also use ThoughtSpot internal authentication|
ThoughtSpot service address
DNS name of the load balancer front-end for multi-node ThoughtSpot clusters, or of the ThoughtSpot server for a single-node ThoughtSpot cluster. If you do not have the DNS name, you can use the front-end IP address. Using the DNS name instead of the IP address is a best practice.
Service port for ThoughtSpot instance. Use port TCP/443.
Unique service name
The unique key ThoughtSpot uses to identify IDP service. Set by the ThoughtSpot Support Team. You may know this as the Entity ID.
The key has the following format:
Skew time in seconds
Allowed skew time for authentication, or the duration after authentication response is rejected and sent back from the IDP.
Usually set to
IDP Metadata XML File
This file is provided by the IdP. The absolute path to the
idp-meta.xml file is needed for one-time configuration. If your IDP needs an Assertion Consumer Service URL to create the metadata file, use
NameId, and map the email id of the user to
Automatically add SAML users to Thoughtspot: (yes/no)
If you choose ‘yes’, then new users will be automatically created in ThoughtSpot upon first successful SSO login.
Also use ThoughtSpot internal authentication: (y/n)
If ‘y’, then ThoughtSpot local/internal users (including local administrative users) will still be authenticated outside the scope of SSO.
Configure SAML using tscli
To set up SAML on ThoughtSpot for user authentication, follow these steps:
Log in to the Linux shell using SSH.
saml configurecommand to launch the interactive SAML configuration:
tscli saml configure
Complete the configurator prompts with the information you collected in Configuration prerequisites.
When the configuration completes, open a browser and navigate to the ThoughtSpot login page. It should show the SSO option.
As you develop your expertise in authentication and security, we recommend the following ThoughtSpot U course: