You can map your SAML groups from your Identity Provider (IDP) to your ThoughtSpot groups. This means that you do not have to manually recreate your groups in ThoughtSpot, if they are already present in your IDP.
ThoughtSpot updates a user’s groups when they log into ThoughtSpot using SAML. If you map your SAML groups to ThoughtSpot groups, ThoughtSpot does not update individual users’ groups until they log into ThoughtSpot using SAML.
Prerequisites
Before you can map SAML groups, you must configure SAML authentication.
Configure your IDP SAML response
Configure your IDP to produce a SAML response with a <saml2:AttributeStatement>
. This statement carries the group attributes. It should look similar to the following:
<saml2:Attribute Name="roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">TestGroup01
</saml2:AttributeValue>
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">TestGroup02
</saml2:AttributeValue>
</saml2:Attribute>
Replace TestGroup01
and TestGroup02
with your own group information, and add as many Attribute Values as necessary.
Contact ThoughtSpot Support to finish configuration
ThoughtSpot Support must finish configuration on the ThoughtSpot side. Contact ThoughtSpot Support, and ask them to enable group mapping from SAML assertions.