Skip to content

Commit 7faa5e8

Browse files
committed
update SSO user note
1 parent 2c9b93a commit 7faa5e8

2 files changed

Lines changed: 45 additions & 1 deletion

File tree

modules/ROOT/pages/api-user-management.adoc

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -127,7 +127,31 @@ To update user details:
127127
* +++<a href="{{navprefix}}/restV2-playground?apiResourceId=http%2Fapi-endpoints%2Fusers%2Fupdate-user">POST /api/rest/2.0/users/{user_identifier}/update</a>+++ (Rest API v2)
128128
* xref:user-api.adoc#update-user[PUT /tspublic/v1/user/{userid}] (Rest API v1)
129129

130+
[NOTE]
131+
====
132+
Updating the username of an SSO user, `account_type` set to `SAML_USER` or `OIDC_USER`, requires changes in both the IdP and ThoughtSpot.
133+
134+
If you rename an SSO user through the REST API and that user then logs in through the IdP:
135+
136+
* If Just-in-Time (JIT) provisioning is enabled, ThoughtSpot creates a new duplicate account. The duplicate account does not inherit the original user's content, groups, or permissions.
137+
* If JIT provisioning is disabled, the user cannot log in.
138+
139+
To safely update the username of an SSO user:
130140
141+
. Update the username in your IdP.
142+
. Before the user logs in again, update the username in ThoughtSpot to match the new value using the REST API or Admin UI.
143+
144+
Both updates must be complete before the user's next SSO login.
145+
The order of the two steps can be reversed — you may update ThoughtSpot first and the IdP second — provided the user does not log in during the interval between the two changes.
146+
147+
For SSO users, ThoughtSpot derives email address and display name directly from the IdP. Update these attributes in your IdP only.
148+
ThoughtSpot automatically reflects the new values when the user next logs in through SSO.
149+
Do not use the REST API or the Admin UI to update the email address or display name of an SSO user.
150+
151+
152+
For users who authenticate directly with ThoughtSpot (not through an external IdP), you can update username, email address, and display name using the REST API or Admin UI.
153+
No IdP coordination is required for local users.
154+
====
131155

132156

133157
////

modules/ROOT/pages/configure-saml.adoc

Lines changed: 21 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -119,7 +119,7 @@ Make a note of all of the redirects within the SAML workflow. Each server must b
119119
To configure SAML SSO authentication on the ThoughtSpot embedded instance, complete the following steps:
120120

121121
* xref:configure-saml.adoc#admin-portal[Enable SAML authentication on ThoughtSpot with IAMv1]
122-
* xref:configure-saml.adoc#IAMv2[Enable SAML authentication on ThoughtSpot with IAMv2] (Requires assistance from ThoughtSpot Support)
122+
* xref:configure-saml.adoc#IAMv2[Enable SAML authentication on ThoughtSpot with IAMv2]
123123
* xref:configure-saml.adoc#idp-config[Configure the IdP server for SAML authentication]
124124
* xref:configure-saml.adoc#auth-config-sdk[Enable SSO authentication in Visual Embed SDK]
125125
* xref:configure-saml.adoc#saml-redirect[Add SAML redirect domain to the allowed list in ThoughtSpot]
@@ -261,6 +261,26 @@ link:https://docs.thoughtspot.com/cloud/latest/saml-okta#_enable_saml_authentica
261261
You can map your SAML groups,or groups and Orgs from your IdP to your ThoughtSpot. This means that you do not have to manually recreate your groups and Orgs in ThoughtSpot if they are already present in your IdP.
262262
Refer to link:https://docs.thoughtspot.com/cloud/latest/saml-group-mapping[Configure SAML group mapping, window=_blank].
263263

264+
[#update-idp-cert-iamv2]
265+
=== Update your IdP certificate
266+
If your IdP certificate expires or is rotated, you can update it in the ThoughtSpot UI.
267+
ThoughtSpot IAMv2 supports self-serve certificate management — changes take effect immediately after you save.
268+
269+
To update your IdP certificate:
270+
271+
* Go to *Admin* > *User management* > *Authentication*
272+
* Navigate to your SAML connection and click the **More** menu image:./images/icon-more-10px.png[the more options menu] > *Edit*
273+
* In the *IDP provider certificate* field, replace the existing certificate with the new certificate file from your IdP.
274+
+
275+
[NOTE]
276+
====
277+
Download the raw certificate file from your IdP settings page.
278+
The accepted format is `PEM / .cer / .crt`.
279+
====
280+
* Click *Save*.
281+
282+
Your users can sign in using the updated certificate immediately.
283+
If users experience sign-in failures after a certificate rotation, verify that the certificate in ThoughtSpot matches the certificate currently active on your IdP.
264284

265285
[#idp-config]
266286
=== Configure the IdP server for SAML authentication

0 commit comments

Comments
 (0)