Configure Active Directory Federated Services
Learn how to configure Active Directory Federated Services (ADFS) to work with ThoughtSpot.
Prerequisites
Before you configure ADFS, complete these prerequisites.
-
Install ADFS 2.0. ThoughtSpot supports ADFS 3.0, but recommends ADFS 2.0.
-
Make sure you can run ADFS 2.0 Federation Server Configuration Wizard from the ADFS 2.0 Management Console.
-
Make sure that the DNS name of your Windows Server is available at your service provider (SP) and vice versa. You can do this by running the command
nslookup
in the command line on both machines, supplying the DNS of the other server. The syntax isnslookup [HOST] [SERVER]
. Replace HOST and SERVER with your specific information.$ nslookup [HOST] [SERVER]
ADFS 2.0 supports SAML 2.0 in IDP (Identity Provider) mode and can be easily integrated with the SAML Extension for both SSO (Single Sign-On) and SLO (Single Log Out).
Step 1: Initialize IDP metadata
-
Download the IDP metadata Download the ADFS 2.0 IDP metadata from the ADFS server. You can reference this file by its URL:
https://<adfsserver>/FederationMetadata/2007-06/FederationMetadata.xml
-
SSH into your cluster Log in to the Linux shell using SSH.
$ ssh admin@<cluster-IP>
-
Change directories to the SAML directory
$ cd /usr/local/scaligent/release/production/orion/tomcat/callosum/saml
-
Update the metadata Replace the contents of the file
idp-meta.xml
with the metadata of the IDP that you downloaded. Do not change the name of the file. -
Restart Tomcat Contact ThoughtSpot Support for help restarting ThoughtSpot’s Tomcat instance.
Step 2: Initialize the Service Provider metadata
1: Import metadata
-
Open the ADFS 2.0 Management Console.
-
Select
. -
Select Import data about the relying party from a file.
-
Upload the
metadata.xml
file that you downloaded from ThoughtSpot earlier. -
Select Next.
-
There may be a warning that some of the content of the metadata is not supported. You can safely ignore this warning.
-
2: Edit claim rules
-
In the Ready to Add Trust section, make sure that the tab endpoints contain multiple endpoint values.
-
If not, verify that your metadata was generated with the HTTPS protocol URLs.
-
-
Ensure that the Open the Edit Claim Rules dialog checkbox is checked.
-
Select Next.
-
Select Add Rule.
-
Choose Send LDAP Attributes as Claims.
-
Select Next.
-
For NameID enter the name of your claim rule.
-
For Attribute store, choose "Active Directory".
-
For LDAP Attribute, choose "SAM-Account-Name".
-
For Outgoing claim type, choose "Name ID".
-
If you are using ADFS 3.0, you might need to configure the Name ID as a Pass Through claim.
-
-
Finish the wizard.
-
Confirm that all information is correct in the claim rules window.
Step 3: Test your ADFS integration
After setting up the ADFS integration, make sure it works properly. To test your ADFS integration, go to the ThoughtSpot login page using a web browser and try to sign in with SAML.