Learn how to map your groups in SAML to your groups in ThoughtSpot.

You can map your SAML groups from your Identity Provider (IDP) to your ThoughtSpot groups. This means that you do not have to manually recreate your groups in ThoughtSpot, if they are already present in your IDP.

ThoughtSpot updates a user’s groups when they log into ThoughtSpot using SAML. If you map your SAML groups to ThoughtSpot groups, ThoughtSpot does not update individual users’ groups until they log into ThoughtSpot using SAML.

Note: If you configure SAML group mapping, your groups in your IDP overrule your groups in ThoughtSpot. For example, if you add a user to the Sales group and create a new group called Marketing in ThoughtSpot, but do not add the user to the Sales group or create the Marketing group in your IDP, your IDP removes these changes when the affected users next log in.

Prerequisites

Before you can map SAML groups, you must configure SAML authentication.

Configure your IDP SAML response

Configure your IDP to produce a SAML response with a <saml2:AttributeStatement>. This statement carries the group attributes. It should look similar to the following:

<saml2:Attribute Name="roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml2:AttributeValue
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">TestGroup01
    </saml2:AttributeValue>
    <saml2:AttributeValue
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">TestGroup02
    </saml2:AttributeValue>
</saml2:Attribute>

Replace TestGroup01 and TestGroup02 with your own group information, and add as many Attribute Values as necessary.

Contact ThoughtSpot Support to finish configuration

ThoughtSpot Support must finish configuration on the ThoughtSpot side. Contact ThoughtSpot Support, and ask them to enable group mapping from SAML assertions.