Authentication flow with embed
You can enable Single Sign On (SSO) with your embedded version of ThoughtSpot.
If your ThoughtSpot system is configured for Security Assertion Markup Language (SAML) you can enable Single Sign On (SSO) for your embed application.
Place the JS API library in the <head>
section of the HTML on your Web page.
Ensure that the JS API script tag is the first script loaded in the page.
You can see examples of this
Authenticate when the window is initialized
Your web page needs to authenticate by calling window.thoughtspot.initialize
and waiting for the onInitializationCallback
to be called before embedding any ThoughtSpot visualizations or making any ThoughtSpot REST API calls.
The JS API call window.thoughtspot.initialize
can cause the entire Web page to be re-directed to your Identity Provider (IDP).
This order implies that you may not execute any of your application logic before window.thoughtspot.initialize
has called your callback.
Any redirection could interfere with your application logic.
So, don’t embed any static ThoughtSpot visualizations in your HTML.
In other words, you should generate the ThoughtSpot visualizations dynamically after window.thoughtspot.initialize
has called your callback.
The onAuthExpiration
is only available if you have at least one ThoughtSpot visualization iframe in your web page.
Example of code flow
-
To authenticate with SSO, download the ThoughtSpot JavaScript library; see Downloads for ThoughtSpot.
-
Include the library file in your web page’s
<head>
section:<head> <script type=”text/javascript” src=”<protocol><your.thoughtspot.domain>/js/api/api.min.js”> ... </head>
-
From your application code, authenticate to ThoughtSpot by calling to the
window.thoughtspot.initialize
method.For example:
<script type=”text/javascript”> thoughtspotHost = <hostname_or_ip_w/o_http> function setUpThoughtSpotAPI() { window.thoughtspot.initialize( function(isUserAuthenticatedToThoughtSpot) { if (isUserAuthenticatedToThoughtSpot) { // load an embedded ThoughtSpot visualization or // make a ThoughtSpot data API call } else { // the current user into your system is not authenticated // into your ThoughtSpot instance, case in any other way suitable // to your application logic. Do NOT call setUpThoughtSpotAPI again // here as that could create an infinite cycle. } }, function() { // the user got logged out from ThoughtSpot, possibly because // their session with ThoughtSpot expired, you can call setUpThoughtSpotAPI() // again to re-authenticate the user or handle this case in any other way // suitable to your application logic. }, thoughtspotHost ); } </script>
-
Work with ThoughtSpot support to enable CORS between your client application domain and the ThoughtSpot domain.
When this value is changed, the
nginx
service is restarted automatically to reflect the change.