Identity and Access Management V2

ThoughtSpot supports an industry-standard cloud authentication method through Okta. With this feature, ThoughtSpot powers its internal authentication with Okta, which is the industry-leading authentication platform. The change to Okta is internal and has no impact on customers. After ThoughtSpot enables this feature by default, all user authentication will automatically use the internal Okta service. This feature set involves several external improvements to authentication, including security enhancements.

IAMv2 is off by default. If you are using Multi-tenancy with Orgs, we do not currently support using IAMv2.

We request that you update your Network/Firewall approved URL settings allowlist to include the following URLs: * For US: https://identity.thoughtspotlogin.cloud * For EU/APAC: https://identity-eu.thoughtspotlogin.cloud * Global: https://identity.dataplane-public.thoughtspot.cloud As a quick validation for accessibility to the global URL mentioned above, please try browsing our validate cluster: validate-iamv2.thoughtspot.cloud. In the ThoughtSpot Login page that appears, please enter any credentials, which should result in a failure page. If you get this error, then you have access to the necessary URLs.

You can now map certain Identity Provider (IDP) attributes from the ThoughtSpot Admin Console when configuring SAML authentication. These attributes include the username, email, and display name. For more information, see Managing authentication with SAML using IAMv2. After you configure SAML authentication, only Okta interacts with your IDP. Your ThoughtSpot cluster does not directly interact with your IDP.

The users section of the Admin Console now supports account activation monitoring. If a user still needs to activate their account, administrators can see that information in the Users section and re-send their activation email.

Local users now create their own password during activation. Administrators do not create the password prior to activation.

Note that whenever you navigate to the login page for ThoughtSpot, you will temporarily see the following URL: identity.thoughtspot.com. This is an expected part of the IAMv2 login experience.

Refer to the following articles for detailed information on new or changed ThoughtSpot functionality with IAMv2:

Refer to the following articles for detailed information on ThoughtSpot functionality if you do NOT have IAMv2 enabled. Note that there is no account activation required for local users on clusters that do not have IAMv2 enabled.


Was this page helpful?