Authentication flow with embed

You can enable Single Sign On (SSO) with your embedded version of ThoughtSpot.

If your ThoughtSpot system is configured for Security Assertion Markup Language (SAML) you can enable Single Sign On (SSO) for your embed application.

Place the JS API library in the <head> section of the HTML on your Web page. Ensure that the JS API script tag is the first script loaded in the page. You can see examples of this

Authenticate when the window is initialized

Your web page needs to authenticate by calling window.thoughtspot.initialize and waiting for the onInitializationCallback to be called before embedding any ThoughtSpot visualizations or making any ThoughtSpot REST API calls.

The JS API call window.thoughtspot.initialize can cause the entire Web page to be re-directed to your Identity Provider (IDP). This order implies that you may not execute any of your application logic before window.thoughtspot.initialize has called your callback.

Any redirection could interfere with your application logic. So, don’t embed any static ThoughtSpot visualizations in your HTML. In other words, you should generate the ThoughtSpot visualizations dynamically after window.thoughtspot.initialize has called your callback.

The onAuthExpiration is only available if you have at least one ThoughtSpot visualization iframe in your web page.

Example of code flow

To authenticate with SSO:

  1. Download the ThoughtSpot JavaScript library.

  2. Include the library file into your web page’s <head> section:

    <head>
    <script type=”text/javascript” src=”<protocol><your.thoughtspot.domain>/js/api/api.min.js”>
    ...
    </head>
  3. From your application code, authenticate to ThoughtSpot by calling to the window.thoughtspot.initialize method.

    For example:

     <script type=”text/javascript”>
         thoughtspotHost = <hostname_or_ip_w/o_http>
         function setUpThoughtSpotAPI() {
             window.thoughtspot.initialize(
                 function(isUserAuthenticatedToThoughtSpot) {
                        if (isUserAuthenticatedToThoughtSpot) {
                            // load an embedded ThoughtSpot visualization or
                            // make a ThoughtSpot data API call
                        } else {
                            // the current user into your system is not authenticated
                            // into your ThoughtSpot instance, case in any other way suitable
                            // to your application logic. Do NOT call setUpThoughtSpotAPI again
                            // here as that could create an infinite cycle.
                        }
                 },
                 function() {
                     // the user got logged out from ThoughtSpot, possibly because
                     // their session with ThoughtSpot expired, you can call setUpThoughtSpotAPI()
                     // again to re-authenticate the user or handle this case in any other way
                     // suitable to your application logic.
                 },
                 thoughtspotHost
             );
         }
     </script>
  4. Work with ThoughtSpot support to enable CORS between your client application domain and the ThoughtSpot domain.

    When this value is changed, the nginx service is restarted automatically to reflect the change.

Now, you’re ready to either embed a visualization or use the REST API to get data from ThoughtSpot and display it within your Web page or application.