Salesforce and ThoughtSpot integration setup guide

Follow these steps to configure your integration between Salesforce and ThoughtSpot, including all supported authentication configurations and required Content Security Policy (CSP) settings.

Prerequisites

For Salesforce, this setup requires:

  • Salesforce admin access.

  • A Salesforce domain (for example, mydomain.my.salesforce.com).

  • Access to manage connected apps.

Alternatively, you can create a new developer edition account.

For ThoughtSpot, this setup requires:

  • Admin access to ThoughtSpot.

Configure your Content Security Policy (CSP)

Trusted URLs

  1. From Setup, in the Quick Find box, search for and select Trusted URLs.

  2. Add the required trusted sites:

    1. ThoughtSpot

      1. Trusted Site Name: ThoughtSpot

      2. Trusted Site URL: `https://<your-thoughtspot-domain>

      3. Allow all CSP Directives

    2. Mixpanel

      1. Trusted Site Name: ThoughtSpot_Mixpanel

      2. Trusted Site URL: https://api-js.mixpanel.com

      3. Allow all CSP directives

    3. Identity Service (environment-specific ThoughtSpot Identity URL)

      1. Trusted Site Name: ThoughtSpot_Identity

      2. Trusted Site URL: (choose based on your environment

      3. Allow all CSP Directives

Salesforce Trusted URLs page

Remote site settings

  1. From Setup, in the Quick Find box, search for and select Remote Site Settings.

  2. Search for a credential named ‘ThoughtSpot’. If you find it, update the URL with your ThoughtSpot instance URL. If you don’t find it, create a new one.

  3. Repeat the step above for ‘Mixpanel’ and ‘Identity Service’ credentials.

    Salesforce Remote Site Settings page

CORS

  1. From Setup, in the Quick Find box, search for and select CORS.

  2. Add the required sites as ThoughtSpot URL, Mixpanel URL, and Identity Service URL.

    Salesforce CORS settings

ThoughtSpot security settings

  1. Navigate to the ThoughtSpot Develop tab and click Security settings.

  2. Click Edit. Add your Salesforce domain URL to:

    • CSP visual embed hosts

    • CSP connect-src domains

    • CSP font-src domains

    • Permitted iFrame domains

    • CSP img-src domains

    • SCP style-src domains

    • CORS whitelisted domains

      ThoughtSpot developer security settings page

Configure your User Access Policy in Salesforce

User Access Policies allow automated assignment of permission sets based on defined user attributes such as profile, role, or status. This helps streamline access control for integrations like ThoughtSpot.

Enable User Access Policy

  1. Navigate to Setup in Salesforce. In the Quick Find box, search for User management settings.

  2. Scroll down to locate the User Access Policy option. Ensure the policy is set to enabled.

  3. Click Save if you made any changes.

    Salesforce User Management Settings

Create a new User Access Policy

  1. From Setup, go to the Quick Find box. Search for User Access Policies.

  2. Click New User Access Policy.

  3. Provide a policy name (for example, ‘ThoughtSpot Access Policy’) and description (optional but recommended).

  4. Click Save.

    Salesforce Create a New User Access Policy popup

Define criteria for the policy

  1. On the newly created policy page, click Edit Criteria in the top right corner.

  2. Under User criteria, define filters such as:

    • Profile (your desired profile)

    • Role (your desired role)

    • (Optional) Set Active to true to include only active users

These filters ensure only relevant users are automatically granted the appropriate permission set.
User Access Policies page open

Definite actions for the policy

  1. Scroll down to the Actions section.

Configure the action as follows:

  • Action: Grant

  • Target Type: Permission Set

  • Target Value: ThoughtSpot_Permission_Set (or the name of your custom permission set)

    1. Click Save to finalize the policy.

Salesforce User Access Policies page

Configure basic authentication

To configure basic authentication, you don’t need any additional setup or configuration.

Configure trusted authentication

Named credentials

  1. In Setup, go to the Quick Find box, and search for and select Named Credentials.

    Salesforce Named Credentials page

  2. Click on Edit under the Actions menu for ThoughtSpot_Named_Credential and replace yourTSurl in the URL with the actual ThoughtSpot instance URL and save.

    Edit ThoughtSpot_Named_Credential popup with URL as yourTSurl.thoughtspotdev.cloud/api/rest/2.0/auth/token/full

  3. Click on the external credential tab and click on ThoughtSpot_External_Credential, navigate to the ‘Principals’ section, then click Edit under the Actions menu.

    Named Credentials page
    ThoughtSpot_External_Credential

  4. In ThoughtSpot, navigate to Develop > Customizations > Security settings to get the trusted authentication token.

    ThoughtSpot Security settings in the Develop tab

  5. In Salesforce, add an authentication parameter with the name ThoughtSpot_Secret_Key and set its value to the token you got from the above step.

    Edit principal pop-up

External credential principal mappings

  1. In Setup, go to the Quick Find box and search for Permission Sets.

  2. Select the permission set used for integration, for example, ThoughtSpot_Permission_Set.

    Permission Sets

  3. Within the selected permission set, scroll down to the External Credential Principal Access section.

    Permission sets with External Credential Principal Access selected
    ThoughtSpot_Permission_Set overview

  4. Click Edit.

  5. From the list, select the ThoughtSpot_External_Credential under Available External Credential Principals.

    Available External Credential Principals

  6. Click Add, then Save.

This allows users assigned this permission set to use the specified External Credentials when making authenticated calls to external services like ThoughtSpot.

Configure your SSO

Configure Salesforce (identity provider)

  1. Sign in to your Salesforce org using admin credentials.

  2. Click on the gear icon ⚙️ in the top right corner. Select Setup from the dropdown.

  3. In the Quick Find box, type and select Identity > Identity Provider.

  4. Click Enable Identity Provider if it is not enabled.

    Identity Provider page

  5. Create a certificate or choose an existing certificate and save.

    Identity Provider page

  6. After saving, click Download Certificate to save the .crt file locally.

  7. Copy the Issuer value shown on the Identity Provider page. You’ll need this for SSO configuration.

    Identity Provider page

Configure ThoughtSpot (service provider)

  1. Access your ThoughtSpot instance using your admin credentials.

  2. Navigate to Admin > All Orgs > Authentication > Single Sign On.

  3. Click on + Add Identity Provider.

  4. Choose SAML 2.0 IDP from the options.

  5. Under Connection name, provide a meaningful name for the connection.

  6. Click Upload next to IdP provider certificate and select the .crt file you downloaded from Salesforce.

  7. Under IdP issuer id, paste the Issuer ID you copied from Salesforce.

  8. Under IdP single sign on url use the following format: <IdP Issuer ID>/idp/endpoint/HttpPost. Replace <IdP Issuer ID> with the actual issuer URL.

  9. Keep the Advanced Configuration section as default and click Continue.

    ThoughtSpot Single Sign On section

  10. Under Map attributes, configure Username, Email, and Display name as “email”. Click Save and continue.

    Map attributes step selected

  1. Save Assertion consumer service url and Audience and click Enable.

    Add ThoughtSpot to your Identity Provider step

Create a connected app in Salesforce

  1. Open Salesforce and navigate to Setup. Go to the Quick Find box and search for and select App Manager.

  2. Click New Connected App.

  3. Select Create a Connected App, then click Continue.

    App manager page in Setup
    Create a Connected App popup

  4. Fill in the following fields:

Connected App Name (for example, ThoughtSpot SSO) Contact Email (your admin/support email) Logo/Image URLs (optional, for branding)

  1. Scroll down and check Enable SAML.

  2. Fill in the following fields:

    • Entity ID: Use the Audience value from ThoughtSpot.

    • ACS URL: Use the assertion customer service url from ThoughtSpot.

    • Start URL: Enter the ThoughtSpot login URL (for example, https://<your-thoughtspot-domain>.cloud/#/login or the login URL you plan to use)

    • IdP Certificate: Select the certificate created or chosen earlier in the Identity Provider setup.

    • Signing Algorithm for SAML Messages: Select the algorithm that matches what is configured under Advanced SAML Configuration in ThoughtSpot (For example, SHA-256).

      Manage Connected Apps page with details filled in

  3. Click Save to complete the configuration.

    Setup page with details saved

  4. Click Manage.

    Click Manage

  5. Scroll to Profiles, then click Manage Profile.

    Profile details page

  6. Scroll down and choose System Administrator or any suitable role and save.

    Select System Administrator

  7. Scroll down to Permission set and click on Manage permission set.

  8. Choose ThoughtSpot_Permission_Set and save.

    Application permission set assignment
Was this page helpful?
×