ThoughtSpot enables you to use the Security Assertion Markup Language (SAML) to authenticate user. You can set up SAML through the shell on ThoughtSpot using a
tscli-based configurator, or through the Admin Console. It is configured to work using service provided by an Identity Provider (IDP).
Before you configure SAML, collect the following information:
|❏||ThoughtSpot service address|
|❏||Unique service name|
|❏||Skew time in seconds|
|❏||IDP Metadata XML File|
|❏||Automatically add SAML users to Thoughtspot|
|❏||Also use ThoughtSpot internal authentication|
ThoughtSpot service address
DNS name of the load balancer front-end for multi-node ThoughtSpot clusters, or of the ThoughtSpot server for a single-node ThoughtSpot cluster. If you do not have the DNS name, you can use the front-end IP address. Using the DNS name instead of the IP address is a best practice.
Service port for ThoughtSpot instance, typically TCP/443.
Unique service name
The unique key ThoughtSpot uses to identify IDP service. Set by the ThoughtSpot Support Team.
The key has the following format:
Skew time in seconds
Allowed skew time for authentication, or the duration after authentication response is rejected and sent back from the IDP.
Usually set to
IDP Metadata XML File
This file is provided by the IDP. The absolute path to the
idp-meta.xml file is needed for one-time configuration.
Automatically add SAML users to Thoughtspot: (yes/no)
If you choose ‘yes’, then new users will be automatically created in ThoughtSpot upon first successful SSO login.
Also use ThoughtSpot internal authentication: (y/n)
If ‘y’, then ThoughtSpot local/internal users (including local administrative users) will still be authenticated outside the scope of SSO.
Configure SAML using tscli
To set up SAML on ThoughtSpot for user authentication, follow these steps:
Log in to the Linux shell using SSH.
saml configurecommand to launch the interactive SAML configuration:
tscli saml configure
Complete the configurator prompts with the information you collected in Configuration prerequisites.
When the configuration completes, open a browser and navigate to the ThoughtSpot login page. It should show the SSO option.
Configure SAML using the Admin Console
You can use ThoughtSpot’s integration with SAML for user authentication. By default, local authentication is enabled. You can also configure a SAML integration with an external Identity Provider (IdP), allowing your ThoughtSpot users to log in using one of the supported Identity Providers: Okta, Ping Identity, CA SiteMinder, or ADFS.
You can configure the SAML integration through the Admin Console.
Navigate to the Admin Console by clicking on the Admin tab from the top navigation bar. Select SAML from the side navigation bar that appears.
Click the Configure button in the middle of the screen.
Fill in the following parameters:
- ThoughtSpot Service Address: A fully qualified and resolvable domain name for the ThoughtSpot service. For example, thoughtspot.thoughtspot-customer.com.
- Port: Port of the server where your ThoughtSpot instance is running. For example, port
- Unique Service Name: The unique key used by your Identity Provider to identify the client. For example, urn:thoughtspot:callosum:saml.
- Skew Time in Seconds: The allowed skew time, after which the authentication response is rejected and sent back from the IDP. 86400 is a popular choice. The default is 3600.
- Protocol: The authentication mechanism for ThoughtSpot. For example,
- IDP Metadata XML File: The absolute path to your Identity Provider’s metadata file. This file is provided by your IDP. You need this file so that the configuration persists over upgrades. It is a best practice to set it up on persistent/HA storage (NAS volumes) or in the same absolute path on all nodes in the cluster. For example, idp-meta.xml.
- Automatically add SAML users to ThoughtSpot upon first authentication: Choose whether or not to add SAML users to ThoughtSpot when they first authenticate. If you choose ‘yes’, then new users will be automatically created in ThoughtSpot upon first successful SSO login. If you choose ‘no’, then SAML users will not be added in ThoughtSpot upon first successful SSO login. Instead, you must add users manually.
After you fill in all parameters, click OK.