If your organization has a trusted authentication server, you can use it to authenticate users who request access to the embedded ThoughtSpot application. After authenticating a user, the trusted authenticator server obtains an authentication token from ThoughtSpot on the user’s behalf. This ensures that the user authentication persists across all subsequent user sessions.
For more information, see Configure security settings.
Trusted authentication workflow
The embed user authentication workflow with trusted authentication service involves the following steps:
A user logs into the client application and requests access to an embedded ThoughtSpot component.
The client application sends a request for a user token from the trusted authenticator.
Your server application must determine the following:
if the requestor has authenticated with your server.
which user (
username) is making the request.
what is being requested: an object, page, or the entire ThoughtSpot application.
whether the requesting
usernameon the ThoughtSpot application.
The trusted authenticator server intercepts the request, authenticates the user, and requests a token from ThoughtSpot on the user’s behalf.
This POST request method includes the following attributes:
formDataparameter containing the authentication token string provided by the ThoughtSpot application server.
formDataparameter containing a string, which is the
usernameof the ThoughtSpot user.
formDataparameter containing one of
formDataparameter containing the identifier of the embedded ThoughtSpot object. This is only required if you specified
ThoughtSpot verifies the authenticator server’s request and returns a user token.
The authenticator returns the user token to the client, which uses it to complete the user request.
The client application forwards the request and the user token to the ThoughtSpot application server.
The request URL includes the following attributes:
usernameof the user requesting access to ThoughtSpot.
String. The authentication token obtained for the user from the trusted authentication service.
String. The URL to which the user is redirected after successful authentication. The URL is fully encoded and includes the authentication token obtained for the user.
For example, if the user has requested access to a specific visualization on a pinboard, the redirect URL includes the domains to which the user is redirected, the auth token string obtained for the user, visualization ID, and pinboard ID.
https://<redirect-domain>/?authtoken=<user_auth_token>&embedApp=true&primaryNavHidden=true#/embed/viz/<pinboard_id>/<viz-id>The request URL includes the `auth-token` attribute, whereas the redirect URL uses the `authtoken` attribute.
ThoughtSpot validates the token and returns the information that the authenticated user has requested.
The following illustration depicts the trusted authentication workflow:
Enable trusted authentication
You need ThoughtSpot admin privileges to enable trusted authentication.
Log in to the ThoughtSpot.
Click the SpotDev tab.
Under Customizations, click Settings.
To enable trusted authentication, turn on the toggle.
An authentication token is generated.
Click the clipboard icon to copy the token.
The following example shows a ThoughtSpot-generated authentication token key.
This key is required for making API calls to get a token for ThoughtSpot users.
Store the key in a secure location.
Click Save Changes.
Disable trusted authentication
To disable trusted authentication, follow these steps:
Go to SpotDev > Customizations > Settings.
On the SpotDev Settings page, turn off the Trusted Authentication toggle.
A pop-window appears and prompts you to confirm the disable action.
When you disable trusted authentication, the validity of your existing authentication token expires. You need to generate a new token by re-enabling trusted authentication.