Just-in-time provisioning

Table of Contents

User creation
Group assignment
JIT provisioning and authentication token generation via REST APIs
Org IDs
SAML SSO authentication
OIDC authentication
Group privileges and access control via REST APIs

ThoughtSpot can use the SSO process to create users and assign them to ThoughtSpot groups.

The capabilities are the same between SAML, OIDC, and trusted authentication methods, but the implementations of each are slightly different.

User creation🔗

Just-in-time provisioning (JIT) allows creating a user if they do not already exist at the time of SSO sign-in.

Creating a new user requires the assertion containing the username, email address, display name, groups, and org details if your instance has Orgs.

Users created via JIT provisioning are identical to users created manually or via the REST APIs, except they do not have passwords in Thoughtspot; they cannot access ThoughtSpot other than through the SSO method. You can assign a password to any user later through the UI or a REST API call.

Group assignment🔗

Users can be assigned to ThoughtSpot groups via JIT as well. The list of groups should be composed of group_name properties, rather than display_name.

JIT group assignment is a full replacement of the user’s set of groups.
Groups that do not exist will be created during the provisioning process, but a ThoughtSpot group by default provides no access control or privileges. However, you can assign privileges to the new groups via REST API update requests.
Groups created via JIT provisioning will have the same group name as the one used by the ts_groups property in any RLS rules.

JIT provisioning and authentication token generation via REST APIs🔗

Both REST API V1 and V2 tokens support just-in-time provisioning of users.

REST API v2 (Recommended)🔗

Both /api/rest/2.0/auth/token/full' and `/api/rest/2.0/auth/token/object API endpoints allow getting an authentication token for the user being provisioned just-in-time.

The auto_create: true parameter enables the token for the JIT provisioning of the user.
The display_name and email parameters are also required for JIT user creation.
If Orgs are enabled, specify the org_id parameter to direct ThoughtSpot to assign the user to the specified Org.
Specify the group_identifiers parameter only if you want to enable JIT group assignment. Passing group_identifiers: [] will set the user to be assigned to no groups, while excluding the group_identifiers parameter altogether will leave the user assigned to their existing set of groups.

For more information, see Just-in-time provisioning via REST v2 API.

REST API v1🔗

The /tspublic/v1/session/auth/token API endpoint can provision a new user by setting the autocreate property to true.

For more information, see Session API.

Org IDs🔗

If the Orgs feature is enabled on your instance, you do need to specify the Org ID when creating a user. Org IDs are integers that are created automatically when a cluster administrator creates an Org. Administrators can get the Org IDs configured on a ThoughtSpot instance via /tspublic/v1/org/search or /api/rest/2.0/orgs/search API endpoint.

To know the Org ID of your current Org, send a GET request to the /tspublic/v1/session/orgs API endpoint within the browser.

For more information about Org APIs, see Org administration.

SAML SSO authentication🔗

For SAML SSO users, you can enable SAML authentication and Automatically add SAML users to ThoughtSpot upon first authentication.

For information about how to map username, displayName, email, and orgId properties from the IdP, see Configure the IdP server for SAML authentication.

For JIT group assignment to SAML SSO users and group mapping, contact ThoughtSpot Support.

OIDC authentication🔗

OIDC SSO can be configured for JIT user creation, as the necessary properties should already be configured as part of the claims.

JIT group assignment can be enabled for OIDC via a support ticket.

Group privileges and access control via REST APIs🔗

JIT provisioning of groups does not provide the full configuration of groups or assign access control. You can use the REST APIs to create, edit, and synchronize groups with the embedding application. For more information about group privileges, see user and group privileges.

REST API calls other than token requests must be performed using a ThoughtSpot user account with the appropriate level of administrative privileges. For example, you could use REST API v2.0 or the REST API v1 group endpoints to implement ThoughtSpot groups that are intended for use in Row Level Security (RLS) rules. For these groups, the group name must match exactly with a value in a column in the data warehouse, so the name of the group itself serves as a data entitlement. For more information, see Attribute-based access control.

Similarly, if Role-based access control (RBAC) is enabled on your instance, you must map role privileges to groups and then assign them to users.