Identity and Access Management V2
ThoughtSpot supports an industry-standard cloud authentication method through Okta. With this feature, ThoughtSpot powers its internal authentication with Okta, which is the industry-leading authentication platform. The change to Okta is internal and has no impact on customers. After ThoughtSpot enables this feature by default, all user authentication will automatically use the internal Okta service. This feature set involves several external improvements to authentication, including security enhancements.
|IAMv2 is off by default. If you are using Multi-tenancy with Orgs, we do not currently support using IAMv2.|
We request that you update your Network/Firewall approved URL settings allowlist to include the following URLs:
* For US: https://identity.thoughtspotlogin.cloud
* For EU/APAC: https://identity-eu.thoughtspotlogin.cloud
* Global: https://identity.dataplane-public.thoughtspot.cloud
As a quick validation for accessibility to the global URL mentioned above, please try browsing our validate cluster:
You can now map certain Identity Provider (IDP) attributes from the ThoughtSpot Admin Console when configuring SAML authentication. These attributes include the username, email, and display name. For more information, see Managing authentication with SAML using IAMv2. After you configure SAML authentication, only Okta interacts with your IDP. Your ThoughtSpot cluster does not directly interact with your IDP.
The users section of the Admin Console now supports account activation monitoring. If a user still needs to activate their account, administrators can see that information in the Users section and re-send their activation email. For more information, see Create, edit, or delete a user using IAMv2.
Local users now create their own password during activation. Administrators do not create the password prior to activation. For more information, see Activate your ThoughtSpot account using IAMv2.
Note that whenever you navigate to the login page for ThoughtSpot, you will temporarily see the following URL:
identity.thoughtspot.com. This is an expected part of the IAMv2 login experience.
Refer to the following articles for detailed information on new or changed ThoughtSpot functionality with IAMv2:
Managing authentication with SAML using IAMv2: If the SAML section of the Admin Console is called SAML integration, your company is using IAMv2.
Create, edit, or delete a user using IAMv2: If the Users section of the Admin Console contains an Account Activation column, your company is using IAMv2.
Account activation using IAMv2: If your activation email subject line is "Activate your ThoughtSpot account," your company is using IAMv2.
Refer to the following articles for detailed information on ThoughtSpot functionality if you do NOT have IAMv2 enabled. Note that there is no account activation required for local users on clusters that do not have IAMv2 enabled.
Managing authentication with SAML: If the SAML section of the Admin Console is called Authentication: SAML, your company is not using IAMv2.
Create, edit, or delete a user in a single-tenant environment: If the Users section of the Admin Console does not contain an Account Activation column, your company is not using IAMv2.