You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/ROOT/pages/api-user-management.adoc
+24Lines changed: 24 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -128,7 +128,31 @@ To update user details:
128
128
* xref:user-api.adoc#update-user[PUT /tspublic/v1/user/{userid}] (Rest API v1)
129
129
130
130
131
+
[NOTE]
132
+
====
133
+
Updating the username of an SSO user, `account_type` set to `SAML_USER` or `OIDC_USER`, requires changes in both the IdP and ThoughtSpot.
134
+
135
+
If you rename an SSO user through the REST API and that user then logs in through the IdP:
136
+
137
+
* If Just-in-Time (JIT) provisioning is enabled, ThoughtSpot creates a new duplicate account. The duplicate account does not inherit the original user's content, groups, or permissions.
138
+
* If JIT provisioning is disabled, the user cannot log in.
139
+
140
+
To safely update the username of an SSO user:
131
141
142
+
. Update the username in your IdP.
143
+
. Before the user logs in again, update the username in ThoughtSpot to match the new value using the REST API or Admin UI.
144
+
145
+
Both updates must be complete before the user's next SSO login.
146
+
The order of the two steps can be reversed — you may update ThoughtSpot first and the IdP second — provided the user does not log in during the interval between the two changes.
147
+
148
+
For SSO users, ThoughtSpot derives email address and display name directly from the IdP. Update these attributes in your IdP only.
149
+
ThoughtSpot automatically reflects the new values when the user next logs in through SSO.
150
+
Do not use the REST API or the Admin UI to update the email address or display name of an SSO user.
151
+
152
+
153
+
For users who authenticate directly with ThoughtSpot (not through an external IdP), you can update username, email address, and display name using the REST API or Admin UI.
154
+
No IdP coordination is required for local users.
155
+
====
132
156
133
157
////
134
158
The IAMv2 users also have an additional user state, `SUSPENDED`. With this, the IAMv2 users do not require a password reset when transitioning between states such as `ACTIVE`, `EXPIRED`, or `INACTIVE`. It also supports seamless migration from IAMv1 to IAMv2 for embedded users.
You can map your SAML groups,or groups and Orgs from your IdP to your ThoughtSpot. This means that you do not have to manually recreate your groups and Orgs in ThoughtSpot if they are already present in your IdP.
262
262
Refer to link:https://docs.thoughtspot.com/cloud/latest/saml-group-mapping[Configure SAML group mapping, window=_blank].
263
263
264
+
[#update-idp-cert-iamv2]
265
+
=== #Update your IdP certificate#
266
+
If your IdP certificate expires or is rotated, you can update it in the ThoughtSpot UI.
267
+
ThoughtSpot IAMv2 supports self-serve certificate management — changes take effect immediately after you save.
268
+
269
+
To update your IdP certificate:
270
+
271
+
* Go to *Admin* > *User management* > *Authentication*
272
+
* Navigate to your SAML connection and click the **More** menu image:./images/icon-more-10px.png[the more options menu] > *Edit*
273
+
* In the *IDP provider certificate* field, replace the existing certificate with the new certificate file from your IdP.
274
+
+
275
+
[NOTE]
276
+
====
277
+
Download the raw certificate file from your IdP settings page.
278
+
The accepted format is `PEM / .cer / .crt`.
279
+
====
280
+
* Click *Save*.
281
+
282
+
Your users can sign in using the updated certificate immediately.
283
+
If users experience sign-in failures after a certificate rotation, verify that the certificate in ThoughtSpot matches the certificate currently active on your IdP.
264
284
265
285
[#idp-config]
266
286
=== Configure the IdP server for SAML authentication
0 commit comments