Authentication through SAML integration

You may have multiple groups of users who need to log in to ThoughtSpot but are managed by separate IDPs. You can configure SAML SSO login for more than one Identity Provider. You can only configure this using tscli.

SAML is an XML standard that allows secure exchange of user authentication and authorization data between trusted partners. It enables the following entities to exchange identity, authentication, and authorization information:

Both SP-initiated and IDP-initiated authentication workflows rely upon assertions that are exchanged between the SAML endpoints through a web browser.

Some of the most commonly used elements are:

A fully qualified and resolvable domain name for the ThoughtSpot service. For example, thoughtspot.thoughtspot-customer.com. If you do not have the DNS name, you can use the front-end IP address. However, using the DNS name instead of the IP address is a best practice.

Enter 443 in this box. This is the port of the server where your ThoughtSpot instance is running.

The unique key used by your Identity Provider(s) to identify the client. For example, urn:thoughtspot:callosum:saml, or https://ssoappname.sso-provider.com/ab12c3de4. This is also called the SP Entity ID.

The allowed skew time, after which the authentication response is rejected and sent back from the IDP. 86400 is a popular choice. The default is 3600.

The connection protocol for ThoughtSpot. For example, https.

[TSCLI only. For multiple IDP only, with --multi flag] Unique key to identify this IDP when using multiple identity providers. Cannot start with a period (.).

[TSCLI only. For multiple IDP only, with --multi flag] Specifies if this IDP should be the default. Type y to make this IDP the default, and n to make the next IDP you configure the default. When users log in to ThoughtSpot from the ThoughtSpot URL, the login screen takes them to the default IDP to log in. To use other, non-default IDPs that you configured with the --multi flag, users must log in to ThoughtSpot from the other IDP’s login page.

The absolute path to your Identity Providers' metadata file. This file is provided by your IDP(s). You need this file so that the configuration persists over upgrades. It is a best practice to set it up on persistent/HA storage (NAS volumes) or in the same absolute path on all nodes in the cluster. For example, idp-meta.xml. If your IDP(s) needs an Assertion Consumer Service URL to create the metadata file, use https://<hostname_or_IP>:443/callosum/v1/saml/SSO. Note that this URL is case-sensitive.

If your IDP(s) does not allow you to import the IDP metadata XML file, you must map values between ThoughtSpot and your IDP manually. This allows the ThoughtSpot system to automatically pick up certain attributes and subjects, such as a user’s email address, display name, and username. Map the username attribute value in your IDP(s) (userPrincipalName in Okta, for example) to NameId, map the email attribute value to mail, and optionally map the display name subject value to displayName. Attributes and subjects appear in separate sections of your SAML assertion. It is mandatory to fill out the mail field. If your company cannot meet this requirement, ThoughtSpot Support.

For additional support with the attribute and subject statements, refer to your IDP’s SAML documentation. ThoughtSpot supports SAML authentication framework with popular Identity Providers such as Okta, Azure Active Directory, PingFederate, Microsoft AD FS, and Onelogin. This is not an exhaustive list. To determine if ThoughtSpot supports your preferred IDP, talk to your ThoughtSpot contact.

Choose whether or not to add SAML users to ThoughtSpot when they first authenticate. If you choose 'yes', then new users will be automatically created in ThoughtSpot upon first successful SSO login. If you choose 'no', then SAML users will not be added in ThoughtSpot upon first successful SSO login. Instead, you must add users manually or through Active Directory.

If 'y', then ThoughtSpot local/internal users (including local administrative users) will still be authenticated outside the scope of SSO.

By default, ThoughtSpot sets your samlMaxAuthenticationAge to 18114400 (seconds). If you experience an unauthorized error when logging in via SAML, your AuthnInstant value may be set to a different, older value. To resolve this issue, find your AuthnInstant value in the IDP login assertion. Set the samlMaxAuthenticationAge to a value older than that value.

This is only one reason why you may receive an unauthorized error when logging in via SAML; if updating your samlMaxAuthenticationAge value does not resolve this issue, ThoughtSpot Support.

You can only configure this setting when configuring SAML using tscli.

To enable the IDP to recognize your host application and ThoughtSpot as a valid service provider, you must configure the IDP with required attributes and metadata. This includes the spring_saml_metadata.xml file that you downloaded in step 7 of Configure SAML using the Admin Console.

ThoughtSpot supports SAML authentication with several identity and access management providers, such as Okta, Azure Active Directory, PingFederate, Microsoft AD FS, Onelogin and so on. If you want to use one of these providers as your IDP, make sure you read the SAML configuration steps described in the Identity provider’s documentation site.

To determine if ThoughtSpot supports your preferred IDP, ThoughtSpot Support.

Complete your configuration of the IDP using the IDP’s SAML documentation. Upload or copy the contents of the spring_saml_metadata.xml to your IDP server. If you did not download the spring_saml_metadata.xml file, navigate to https://<your_ThoughtSpot_hostname-or-IP>/callosum/v1/saml/metadata. The file automatically downloads.

Refer to Configure SAML 2.0 for details on correct field mapping.

After you configure the IDP, open a Web browser and go to the ThoughtSpot login page. It should now show the Single Sign On option.

When configuring SAML 2.0, ensure that you map the SAML user attributes and subjects to appropriate fields. This allows the ThoughtSpot system to automatically pick up certain attributes and subjects, such as a user’s email address, display name, and username.

For example,

You must also map the email address of the user to the mail attribute. Optionally, map the display name you would like to use to the displayName subject.

Attributes and subjects appear in separate sections of your SAML assertion.

If your IDP does not allow you to import the IDP metadata XML file, you must map these values manually.