Configure SAML group mapping
Learn how to map your groups in SAML to your groups in ThoughtSpot.
You can map your SAML groups from your Identity Provider (IDP) to your ThoughtSpot groups. This means that you do not have to manually recreate your groups in ThoughtSpot, if they are already present in your IDP.
ThoughtSpot updates a user’s groups when they log into ThoughtSpot using SAML. If you map your SAML groups to ThoughtSpot groups, ThoughtSpot does not update individual users' groups until they log into ThoughtSpot using SAML.
If you configure SAML group mapping, your groups in your IDP overrule your groups in ThoughtSpot, except in the case of group deletion. To delete a group, you must delete it in ThoughtSpot, not in your IDP environment.
For example, if you add a user to the Sales group and create a new group called Marketing in ThoughtSpot, but do not add the user to the Sales group or create the Marketing group in your IDP, your IDP removes these changes when the affected users next log in. However, if you delete a group called Sales in your IDP, the group still remains in ThoughtSpot.
Before you can map SAML groups, you must configure SAML authentication.
Configure your IDP to produce a SAML response with a
This statement carries the group attributes.
It should look similar to the following:
<saml2:Attribute Name="roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">TestGroup01 </saml2:AttributeValue> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">TestGroup02 </saml2:AttributeValue> </saml2:Attribute>
TestGroup02 with your own group information, and add as many Attribute Values as necessary.
ThoughtSpot Support must finish configuration on the ThoughtSpot side. Contact ThoughtSpot Support, and ask them to enable group mapping from SAML assertions.