ThoughtSpot provides two ways to authenticate users: Security Association Markup Language (SAML) and ThoughtSpot local accounts. ThoughtSpot recommends that you use SAML for authentication, since it is industry-standard and enables Single-Sign On (SSO) with your Identity Provider (IDP).

Identity and Access Management V2 Beta

ThoughtSpot supports a new, industry-standard cloud authentication method through Okta. With this feature, called Identity and Access Management V2 (IAM V2), ThoughtSpot powers its internal authentication with Okta, which is the industry-leading authentication platform. The change to Okta is internal and has no impact on customers. Local and SAML authentication are still the 2 ways to authenticate users. After ThoughtSpot enables IAM V2 feature by default, all user authentication will automatically use the internal Okta service. This feature set involves several external improvements to authentication, including security enhancements. This feature is in Beta and off by default. To enable it, contact ThoughtSpot Support. For more information, refer to Identity and Access Management V2. For more about Beta features, see ThoughtSpot Cloud release life cycle.

Use the following table to help you choose between local and SAML authentication.

  • Use SAML for single sign-on authentication.

  • Can redirect from ThoughtSpot to SAML logins.

  • Recommended for portal integration.


All users and groups must be known to ThoughtSpot. If you are using SAML and don’t create users in ThoughtSpot, a user is created when the user first logs in. However, this user is assigned to the All group and can only see content available for all users.

Groups are the primary way that security is managed. Groups are not automatically created. You can create groups and users manually, or you must automate the assignment from a source system. ThoughtSpot has public APIs that you can use to sync users and groups between source systems and your ThoughtSpot application.

Was this page helpful?