You can use ThoughtSpot’s integration with SAML for user authentication. By default, local authentication is enabled. You can also configure a SAML integration with an external Identity Provider (IdP), allowing your ThoughtSpot users to log in using one of the supported Identity Providers.
Popular Identity Providers that ThoughtSpot supports include Okta, Azure Active Directory, PingFederate, Microsoft AD FS, and Onelogin. This is not an exhaustive list. To determine if ThoughtSpot supports your preferred IdP, talk to your ThoughtSpot contact.
After you complete the SAML configuration in ThoughtSpot that this article describes, refer to your Identity Provider’s SAML documentation for specific information on setting up SAML with that IdP.
You can configure the SAML integration through the Admin Console.
Navigate to the Admin Console by clicking on the Admin tab from the top navigation bar. Select SAML from the side navigation bar that appears.
Click the Configure button in the middle of the screen.
Fill in the following parameters:
- ThoughtSpot Service Address: A fully qualified and resolvable domain name for the ThoughtSpot service. For example, thoughtspot.thoughtspot-customer.com.
- Port: Enter
443in this box. This is the port of the server where your ThoughtSpot instance is running.
- Unique Service Name: The unique key used by your Identity Provider to identify the client. For example, urn:thoughtspot:callosum:saml. You may know this as the Entity ID.
- Skew Time in Seconds: The allowed skew time, after which the authentication response is rejected and sent back from the IDP. 86400 is a popular choice. The default is 3600.
- Protocol: The authentication mechanism for ThoughtSpot. For example,
IdP Metadata XML File: The absolute path to your Identity Provider’s metadata file. This file is provided by your IdP. You need this file so that the configuration persists over upgrades. It is a best practice to set it up on persistent/HA storage (NAS volumes) or in the same absolute path on all nodes in the cluster. For example, idp-meta.xml. If your IDP needs an Assertion Consumer Service URL to create the metadata file, use
https://<hostname_or_IP>/callosum/v1/saml/SSO.Note: If your IdP does not allow you to import the IdP metadata XML file, you must map values manually. For the ThoughtSpot system to pick up certain attributes, you must map them to specific fields. Map the username you would like to use to
NameId, and map the email id of the user to
- Automatically add SAML users to ThoughtSpot upon first authentication: Choose whether or not to add SAML users to ThoughtSpot when they first authenticate. If you choose ‘yes’, then new users will be automatically created in ThoughtSpot upon first successful SSO login. If you choose ‘no’, then SAML users will not be added in ThoughtSpot upon first successful SSO login. Instead, you must add users manually.
After you fill in all parameters, click OK.
As you develop your expertise in authentication and security, we recommend the following ThoughtSpot U course: