Identity and Access Management V2

ThoughtSpot supports an industry-standard cloud authentication method through Okta. With this feature, ThoughtSpot powers its internal authentication with Okta, which is the industry-leading authentication platform. The change to Okta is internal and has no impact on customers. After ThoughtSpot enables this feature by default, all user authentication will automatically use the internal Okta service. This feature set involves several external improvements to authentication, including security enhancements.

We request that you update your Network/Firewall approved URL settings allowlist to include the following URLs:

You can now map certain Identity Provider (IDP) attributes from the ThoughtSpot Admin Console when configuring OIDC or SAML authentication. These attributes include the username, email, and display name. For more information, see Managing authentication with SAML using IAMv2 and Managing authentication with OIDC using IAMv2. After you configure OIDC or SAML authentication, only Okta interacts with your IDP. Your ThoughtSpot cluster does not directly interact with your IDP.

The users section of the Admin Console now supports account activation monitoring. If a user still needs to activate their account, administrators can see that information in the Users section and re-send their activation email. For more information, see Create, edit, or delete a user using IAMv2.

Local users now create their own password during activation. Administrators do not create the password prior to activation. For more information, see Activate your ThoughtSpot account using IAMv2.

Note that whenever you navigate to the login page for ThoughtSpot, you will temporarily see the following URL: This is an expected part of the IAMv2 login experience.

Refer to the following articles for detailed information on new or changed ThoughtSpot functionality with IAMv2:

Refer to the following articles for detailed information on ThoughtSpot functionality if you do NOT have IAMv2 enabled. Note that there is no account activation required for local users on clusters that do not have IAMv2 enabled.

Was this page helpful?