Authentication and security
You can configure security settings and authentication methods for an embedded ThoughtSpot instance.
To allow your application users to access the embedded ThoughtSpot content, make sure you configure security settings for Cross-Origin Resource Sharing (CORS) and Content Security Policy (CSP).
To authenticate and authorize embed users, you must also configure an authentication method in ThoughtSpot.
- Developer access
To enable access to the Developer Portal, you must create a user group with the Developer privilege and assign developer users to this group. Users with Developer privilege can access the Develop tab in the ThoughtSpot UI. For more information, see Developer access.
- SAML SSO authentication
If you plan to use an external directory service for authenticating your application users, you need to enable SAML authentication on ThoughtSpot and add SAML redirect domains to the allowed list.
- Trusted authentication
If you plan to use a token-based authentication service to transmit administrative information for the purpose of authenticating user sessions, you must enable trusted authentication on ThoughtSpot. See the ThoughtSpot subscription agreement.
- OpenID Connect authentication
If your app supports OAuth 2.0 protocol and requires OpenID Connect authentication (OIDC) framework on embedded instances, enable the OIDC authentication support on ThoughtSpot and in Visual Embed SDK.
- Security settings
To allow your application users to access the embedded content from web browsers, you must set your application as a trusted host by adding your application domain and the URL endpoints to the CORS and CSP allowed list.
- Custom domain configuration
To control user access to ThoughtSpot application workflows and data, you can use ThoughtSpot features such as group privileges, object sharing, Row-level security (RLS), Column-level security (CLS), and disabling or hiding menu actions with Visual Embed SDK.
For more information, see Access control and data security.