ThoughtSpot provides LDAP/AD, SAML, and ThoughtSpot login to authenticate users.

ThoughtSpot provides three ways to authenticate users: LDAP/AD, SAML, and ThoughtSpot login. If possible, ThoughtSpot recommends that you use LDAP/AD or SAML.

Determine which authentication method works best for your use case.

Use the following list to help you choose an authentication option.


  • Use SAML for single sign-on authentication.

  • Can redirect from ThoughtSpot to SAML logins.

  • Recommended for portal integration.

  • Option to sync users and groups if stored in LDAP/AD.

See how to Configure SAML.


  • Configuration.

  • Users authenticate against LDAP or AD.

  • Option to sync users and groups with ThoughtSpot to manage group membership.

Read about LDAP integration.


  • User created and managed in ThoughtSpot.

  • Password strength control

  • No other enterprise password control: expiration, failed logins, and so on.

  • Only recommended when SAML and LDAP are not options.

All users and groups must be known to ThoughtSpot. If you are using LDAP/AD or SAML and don’t create users in ThoughtSpot, a user is created when the user first logs in. However, this user is assigned to the All group and can only see content available for all users.

Groups are the primary way that security is managed. Groups are not automatically created. You can create groups and users manually, or you must automate the assignment from a source system. ThoughtSpot has an assignment script that works with most LDAP / AD stores. It also has public APIs that you can use to sync users and groups between source systems and your ThoughtSpot appliance.

Was this page helpful?