Configure SAML group mapping

Learn how to map your groups in SAML to your groups in ThoughtSpot.

You can map your SAML groups from your Identity Provider (IDP) to your ThoughtSpot groups. This means that you do not have to manually recreate your groups in ThoughtSpot, if they are already present in your IDP.

ThoughtSpot updates a user’s groups when they sign in to ThoughtSpot using SAML. If you map your SAML groups to ThoughtSpot groups, ThoughtSpot does not update individual users' groups until they sign in to ThoughtSpot using SAML.

If you configure SAML group mapping, your groups in your IDP overrule your groups in ThoughtSpot, except in the case of group deletion. To delete a group, you must delete it in ThoughtSpot, not in your IDP environment.

For example, if you add a user to the Sales group and create a new group called Marketing in ThoughtSpot, but do not add the user to the Sales group or create the Marketing group in your IDP, your IDP removes these changes when the affected users next sign in. However, if you delete a group called Sales in your IDP, the group still remains in ThoughtSpot.


Before you can map SAML groups, you must configure SAML authentication.

Configure your IDP SAML response

Configure your IDP to produce a SAML response with a <saml2:AttributeStatement>. This statement carries the group attributes. It should look similar to the following:

<saml2:Attribute Name="roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    xmlns:xsi="" xsi:type="xs:string">TestGroup01
    xmlns:xsi="" xsi:type="xs:string">TestGroup02

Replace TestGroup01 and TestGroup02 with your own group information, and add as many Attribute Values as necessary.

Contact ThoughtSpot Support to finish configuration

ThoughtSpot Support must finish configuration on the ThoughtSpot side. Contact ThoughtSpot Support, and ask them to enable group mapping from SAML assertions.