Enable ThoughtSpot provisioning

Enable provisioning for your ThoughtSpot instance to integrate with Okta.

Prerequisites

  • You must have a ThoughtSpot admin account assigned both ADMINISTRATION and USER_ADMINISTRATION privileges.

  • ThoughtSpot admins can assign granular privileges using Role-Based Access Control (RBAC). Use administration privileges to view or manage users, groups, and roles when you operate without RBAC. Implement RBAC to apply granular privileges and restrict app-wide access to super admin users only.

  • ThoughtSpot subdomain URL formatted as https://<your-app>.ThoughtSpot.cloud) required to validate within Okta.

  • Gather the following authentication credentials:

    • Username: Unique identifier for sign in to your ThoughtSpot Cloud instance or Org at https://<your-app>.ThoughtSpot.cloud.

    • Secret Key: Necessary for trusted authentication, enabling your app to request tokens on behalf of users without their ThoughtSpot passwords. For details on generating a secret key, see the Generate a Secret Key section.

Generate a Secret Key

  1. Sign in to ThoughtSpot.

  2. If Orgs are configured on your instance, switch to the desired Org.

    If the per-Org secret key feature isn't enabled on your instance, or if you want to generate a separate secret key for each Org, contact ThoughtSpot support.

  3. Go to Develop > Customizations > Security settings.

  4. Click Edit.

  5. Turn on the Trusted authentication toggle.

  6. To copy the secret key, click Edit, go to Trusted authentication, and click the copy to clipboard icon. This example shows a ThoughtSpot generated secret key string: b0cb26a0-351e-40b4-9e42-00fa2265d50c

  7. Store the key securely.

  8. Click Save Changes.

Trusted Authentication and Secret Key Management

  • To request a token on behalf of another user, you need admin privileges and access to the secret_key. This allows you to securely pass the authentication details of an embedded app user.
  • To generate a new secret key, disable and then re-enable the trusted authentication setting.

Start this task

  1. In the Admin Console, go to ApplicationsApplications.

  2. Search for and select the ThoughtSpot app integration.
  3. On the General tab, enter the Application label and click Done.
  4. Click the Provisioning tab, click Configure API Integration, and select Enable API integration.
  5. Enter the Subdomain, Username, and Secret Key.
  6. Click Test API Credentials.
  7. After ThoughtSpot is successfully verified, click Save.
  8. Select To App under Settings. Click Edit, and then select the required provisioning features.
  9. Enable the Sync Password. For details on synchronizing Okta passwords or random passwords to provisioning enabled apps, see Application password synchronization.
  10. Click Save.

Related topics

ThoughtSpot supported features