Configure SAML group and Org mapping

Learn how to map your groups, or groups and Orgs in SAML to ThoughtSpot.

You can map your SAML groups, or groups and Orgs from your Identity Provider (IDP) to ThoughtSpot. This means that you do not have to manually recreate your groups and Orgs in ThoughtSpot, if they are already present in your IDP.

ThoughtSpot updates a user’s groups and Orgs when they sign in to ThoughtSpot using SAML. If you map your SAML groups and Orgs to ThoughtSpot groups and Orgs, ThoughtSpot does not update individual users' groups and Orgs until they sign in to ThoughtSpot using SAML.

If you configure SAML group, or group and Org mapping, your groups and Orgs in your IDP overrule your groups and Orgs in ThoughtSpot, except in the case of group and Org deletion. To delete a group or Org, you must delete it in ThoughtSpot, not in your IDP environment.

For example, if you add a user to the Sales group and create a new group called Marketing in ThoughtSpot, but do not add the user to the Sales group or create the Marketing group in your IDP, your IDP removes these changes when the affected users next sign in. However, if you delete a group called Sales in your IDP, the group still remains in ThoughtSpot.

Prerequisites

Before you can map SAML groups and Orgs, you must configure SAML authentication.

To configure SAML group and Org mapping, contact ThoughtSpot Support.

Configure your IDP SAML response

Configure your IDP to produce a SAML response with a <saml2:AttributeStatement>. This statement carries the group and Org attributes. It should look similar to the following:

<saml2:Attribute Name="roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml2:AttributeValue
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">TestGroup01@Org1
    </saml2:AttributeValue>
    <saml2:AttributeValue
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">TestGroup02@Org2
    </saml2:AttributeValue>
</saml2:Attribute>

Replace TestGroup01 and TestGroup02 with your own group information, and add as many Attribute Values as necessary.

Replace @Org1 and @Org2 with your own Org information to map groups and Orgs. Omit this to map only groups.

Contact ThoughtSpot Support to finish configuration

ThoughtSpot Support must finish configuration on the ThoughtSpot side. Contact ThoughtSpot Support, and ask them to enable group mapping from SAML assertions.