You can configure Active Directory Federated Services (ADFS) to work with ThoughtSpot.
Before you configure ADFS, complete these prerequisites.
- Configure SAML in ThoughtSpot.
- Install ADFS 2.0. ThoughtSpot supports ADFS 3.0, but recommends ADFS 2.0.
- Make sure you can run ADFS 2.0 Federation Server Configuration Wizard from the ADFS 2.0 Management Console.
- Make sure that the DNS name of your Windows Server is available at your service provider (SP) and vice versa. You can do this by running the command
nslookupin the command line on both machines, supplying the DNS of the other server. The syntax is
nslookup [HOST] [SERVER]. Replace HOST and SERVER with your specific information.
$ nslookup [HOST] [SERVER]
ADFS 2.0 supports SAML 2.0 in IdP (Identity Provider) mode and can be easily integrated with the SAML Extension for both SSO (Single Sign-On) and SLO (Single Log Out).
Step 1: Initialize IdP metadata
Download the IdP metadata Download the ADFS 2.0 IdP metadata from the ADFS server. You can reference this file by its URL:
- SSH into your cluster Log into the Linux shell using SSH.
$ ssh admin@<cluster-IP>
Change directories to the SAML directory
$ cd /usr/local/scaligent/release/production/orion/tomcat/callosum/saml
- Update the metadata Replace the contents of the file
idp-meta.xmlwith the metadata of the IdP that you downloaded. Do not change the name of the file.
- Restart Tomcat Contact ThoughtSpot Support for help restarting ThoughtSpot’s Tomcat instance.
Step 2: Initialize the Service Provider metadata
1: Import metadata
- Open the ADFS 2.0 Management Console.
- Select Relying Party Trusts > Add Relying Party Trust.
- Select Import data about the relying party from a file.
- Upload the
metadata.xmlfile that you downloaded from ThoughtSpot earlier.
- Select Next.
- There may be a warning that some of the content of the metadata is not supported. You can safely ignore this warning.
2: Edit claim rules
- In the Ready to Add Trust section, make sure that the tab endpoints contain multiple endpoint values.
- If not, verify that your metadata was generated with the HTTPS protocol URLs.
- Ensure that the Open the Edit Claim Rules dialog checkbox is checked.
- Click Next.
- Select Add Rule.
- Choose Send LDAP Attributes as Claims.
- Click Next.
- For NameID enter the name of your claim rule.
- For Attribute store, choose “Active Directory”.
- For LDAP Attribute, choose “SAM-Account-Name”.
- For Outgoing claim type, choose “Name ID”.
- If you are using ADFS 3.0, you might need to configure the Name ID as a Pass Through claim.
- Finish the wizard.
- Confirm that all information is correct in the claim rules window.
3. Specify your level of security
- Open the provider by double-clicking it.
- Select the Advanced tab.
- Under Secure hash algorithm, choose “SHA-256”.
- If you have trouble with SHA-256, try SHA-1 instead.
You can now use ADFS.
Step 3: Test your ADFS integration
After setting up the ADFS integration, make sure it works properly. To test your ADFS integration, go to the ThoughtSpot login page using a Web browser and try to login with SAML.