From da1f8636bf00cda60e773968e155c7f50fd5ef20 Mon Sep 17 00:00:00 2001 From: Rani Gangwar Date: Tue, 16 Jun 2026 02:45:52 +0530 Subject: [PATCH 1/3] SCAL-291968 --- modules/ROOT/pages/configure-saml.adoc | 22 +++++++++++++ .../ROOT/pages/just-in-time-provisioning.adoc | 8 +++++ modules/ROOT/pages/orgs.adoc | 14 ++++++++ modules/ROOT/pages/whats-new.adoc | 32 +++++++++++++++++++ 4 files changed, 76 insertions(+) diff --git a/modules/ROOT/pages/configure-saml.adoc b/modules/ROOT/pages/configure-saml.adoc index 9467a65d4..3991547b2 100644 --- a/modules/ROOT/pages/configure-saml.adoc +++ b/modules/ROOT/pages/configure-saml.adoc @@ -114,6 +114,28 @@ disableSAMLAutoRedirect=true Make a note of all of the redirects within the SAML workflow. Each server must be configured properly to allow the inbound and outbound portions of the SAML flow. If you encounter errors while configuring and testing, go to the *Network* tab of the browser's developer tools to see which server within the workflow is generating the error. ==== +[#per-org-idp-org-isolation] +=== Org isolation for per-org IdP authentication + +// SOURCE: SCAL-291968 — OIDCClient.java, OrgUtils.java, SecurityEventTypeEnum.java +When your ThoughtSpot cluster uses per-org IdP configuration — where each Org is bound to its own identity provider — ThoughtSpot enforces strict org isolation on all incoming SAML and OIDC group and org claims. + +==== How it works + +When a user authenticates through a per-org IdP, ThoughtSpot identifies the **authorized Org** associated with that IdP. It then evaluates every group and org claim in the assertion: + +* Claims that reference the authorized Org are accepted and processed normally. +* Claims that reference any other Org are **silently dropped**. They do not grant access to those Orgs, and they are not used for group provisioning in those Orgs. +* Group claims that carry no Org suffix are automatically scoped to the authorized Org. + +For example, if a user logs in through IdP-A, which is bound to Org X, a claim of `PowerUser@X` is accepted. A claim of `Admin@Y` is dropped. + +NOTE: Org isolation applies only to per-org IdP logins. Cluster-wide (single IdP) SSO configurations are not affected. + +==== Effect on existing org memberships + +Org isolation is non-destructive. If a user already has legitimate, manually-assigned membership in another Org — granted by a cluster administrator — that membership is preserved after a per-org IdP login. Per-org SAML or OIDC authentication cannot be used as a source of new access to Orgs outside the authorized Org. + == Configuration steps To configure SAML SSO authentication on the ThoughtSpot embedded instance, complete the following steps: diff --git a/modules/ROOT/pages/just-in-time-provisioning.adoc b/modules/ROOT/pages/just-in-time-provisioning.adoc index a5e80275f..803214fb0 100644 --- a/modules/ROOT/pages/just-in-time-provisioning.adoc +++ b/modules/ROOT/pages/just-in-time-provisioning.adoc @@ -177,6 +177,14 @@ Due to the nature of assertions returned from an IdP, the JIT provisioning capab In general, the IdP assertion can create a user and add them to existing ThoughtSpot groups within existing ThoughtSpot Orgs. == SAML SSO authentication +[NOTE] +==== +// SOURCE: SCAL-291968 — OIDCClient.java, OrgUtils.java +*Per-org IdP claim filtering:* If your ThoughtSpot cluster uses per-org IdP configuration, ThoughtSpot automatically filters SAML and OIDC group and org claims at login time. Only claims that reference the Org bound to the authenticating IdP are used for JIT provisioning. Claims referencing other Orgs are dropped and logged as security audit events. This behavior ensures that a per-org IdP cannot be used to provision users into Orgs it is not authorized to manage. + +For more information, see xref:configure-saml.adoc#per-org-idp-org-isolation[Org isolation for per-org IdP authentication]. +==== + For SAML SSO users, you can link:https://docs.thoughtspot.com/cloud/latest/authentication-integration#_enable_saml_authentication[enable SAML authentication, window=_blank] and *Automatically add SAML users to ThoughtSpot upon first authentication*. For information about how to map `username`, `displayName`, `email`, and `orgId` properties from the IdP, see link:https://docs.thoughtspot.com/cloud/latest/authentication-integration#_configure_the_idp[Configure the IdP server for SAML authentication, window=_blank]. diff --git a/modules/ROOT/pages/orgs.adoc b/modules/ROOT/pages/orgs.adoc index d83d63f0b..8e49e6288 100644 --- a/modules/ROOT/pages/orgs.adoc +++ b/modules/ROOT/pages/orgs.adoc @@ -253,6 +253,20 @@ a|[tag greenBackground tick]#✓# |===== +[#per-org-sso-isolation] +=== SSO and Org isolation + +// SOURCE: SCAL-291968 — OIDCClient.java, SecurityEventTypeEnum.java, design doc 1R4P3Eup4-UQJAWxyoeHjGr87mzJGWIOvfPDyHQF6-cQ +ThoughtSpot supports SAML and OIDC group synchronization on multi-tenant clusters. When you use **per-org IdP configuration**, ThoughtSpot enforces strict org isolation on all incoming group and org claims to protect tenant boundaries. + +* Each Org can be bound to its own identity provider. +* When a user logs in via a per-org IdP, only claims that reference that IdP's authorized Org are honored. Claims referencing other Orgs are dropped. +* Dropped claims are recorded as security audit events +//(`OIDC_CROSS_ORG_CLAIM_DROPPED`, `SAML_CROSS_ORG_CLAIM_DROPPED`). +* Existing manually-assigned org memberships are not removed by a per-org IdP login. + +For more information, see xref:configure-saml.adoc#per-org-idp-org-isolation[Org isolation for per-org IdP authentication]. + == Authentication considerations for embedded apps //// diff --git a/modules/ROOT/pages/whats-new.adoc b/modules/ROOT/pages/whats-new.adoc index 6320f0913..2f2ee6174 100644 --- a/modules/ROOT/pages/whats-new.adoc +++ b/modules/ROOT/pages/whats-new.adoc @@ -23,6 +23,38 @@ This page lists new features, enhancements, and deprecated functionality introdu // *Affects:* Developers, Administrators, End Users // ============================================================ +== June 2026 + +**Release version**: ThoughtSpot Cloud 26.7.0.cl + +*Upgrade notes*: No breaking changes. + +*Recommended SDK versions*: Visual Embed SDK v1.50.0 and later + +[.cl-table, cols="2,4", frame=none, grid=none] +|===== +a| +[.cl-label] +*Version 26.7.0.cl* + +a| +[discrete] +==== Org isolation for per-org SAML and OIDC authentication +ThoughtSpot now enforces strict org isolation when users authenticate through a per-org identity provider (IdP). When a per-org IdP sends SAML or OIDC group claims that reference Orgs outside its authorized scope, ThoughtSpot silently drops those claims and records them as security audit events. This prevents a rogue IdP administrator in one Org from using group assertions to gain unauthorized access to another Org. Existing manually-assigned org memberships are unaffected. + +--- + +[discrete] +==== Visual Embed SDK +The Visual Embed SDK version 1.49.0 includes several new features and enhancements. For more information, see the xref:api-changelog.adoc[Visual Embed changelog]. + +--- + +[discrete] +==== REST API v2 +This release introduces new API endpoints for Spotter, connections and trusted authentication. For information about REST API v2 enhancements, see the xref:rest-apiv2-changelog.adoc[REST API v2.0 changelog]. + +|===== + + == June 2026 **Release version**: ThoughtSpot Cloud 26.6.0.cl + From 145ec213caa613a5969be5e9fa713afb589c24a9 Mon Sep 17 00:00:00 2001 From: Rani Gangwar Date: Tue, 16 Jun 2026 03:08:55 +0530 Subject: [PATCH 2/3] SCAL-291968 --- modules/ROOT/pages/configure-saml.adoc | 2 +- modules/ROOT/pages/just-in-time-provisioning.adoc | 2 +- modules/ROOT/pages/orgs.adoc | 2 +- modules/ROOT/pages/whats-new.adoc | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/ROOT/pages/configure-saml.adoc b/modules/ROOT/pages/configure-saml.adoc index 3991547b2..d17a5eb8f 100644 --- a/modules/ROOT/pages/configure-saml.adoc +++ b/modules/ROOT/pages/configure-saml.adoc @@ -115,7 +115,7 @@ Make a note of all of the redirects within the SAML workflow. Each server must b ==== [#per-org-idp-org-isolation] -=== Org isolation for per-org IdP authentication +=== #Org isolation for per-org IdP authentication# // SOURCE: SCAL-291968 — OIDCClient.java, OrgUtils.java, SecurityEventTypeEnum.java When your ThoughtSpot cluster uses per-org IdP configuration — where each Org is bound to its own identity provider — ThoughtSpot enforces strict org isolation on all incoming SAML and OIDC group and org claims. diff --git a/modules/ROOT/pages/just-in-time-provisioning.adoc b/modules/ROOT/pages/just-in-time-provisioning.adoc index 803214fb0..cc0a364fc 100644 --- a/modules/ROOT/pages/just-in-time-provisioning.adoc +++ b/modules/ROOT/pages/just-in-time-provisioning.adoc @@ -180,7 +180,7 @@ In general, the IdP assertion can create a user and add them to existing Thought [NOTE] ==== // SOURCE: SCAL-291968 — OIDCClient.java, OrgUtils.java -*Per-org IdP claim filtering:* If your ThoughtSpot cluster uses per-org IdP configuration, ThoughtSpot automatically filters SAML and OIDC group and org claims at login time. Only claims that reference the Org bound to the authenticating IdP are used for JIT provisioning. Claims referencing other Orgs are dropped and logged as security audit events. This behavior ensures that a per-org IdP cannot be used to provision users into Orgs it is not authorized to manage. +*#Per-org IdP claim filtering:#* If your ThoughtSpot cluster uses per-org IdP configuration, ThoughtSpot automatically filters SAML and OIDC group and org claims at login time. Only claims that reference the Org bound to the authenticating IdP are used for JIT provisioning. Claims referencing other Orgs are dropped and logged as security audit events. This behavior ensures that a per-org IdP cannot be used to provision users into Orgs it is not authorized to manage. For more information, see xref:configure-saml.adoc#per-org-idp-org-isolation[Org isolation for per-org IdP authentication]. ==== diff --git a/modules/ROOT/pages/orgs.adoc b/modules/ROOT/pages/orgs.adoc index 8e49e6288..b417aa0c7 100644 --- a/modules/ROOT/pages/orgs.adoc +++ b/modules/ROOT/pages/orgs.adoc @@ -254,7 +254,7 @@ a|[tag greenBackground tick]#✓# |===== [#per-org-sso-isolation] -=== SSO and Org isolation +=== #SSO and Org isolation# // SOURCE: SCAL-291968 — OIDCClient.java, SecurityEventTypeEnum.java, design doc 1R4P3Eup4-UQJAWxyoeHjGr87mzJGWIOvfPDyHQF6-cQ ThoughtSpot supports SAML and OIDC group synchronization on multi-tenant clusters. When you use **per-org IdP configuration**, ThoughtSpot enforces strict org isolation on all incoming group and org claims to protect tenant boundaries. diff --git a/modules/ROOT/pages/whats-new.adoc b/modules/ROOT/pages/whats-new.adoc index 2f2ee6174..301cdc99b 100644 --- a/modules/ROOT/pages/whats-new.adoc +++ b/modules/ROOT/pages/whats-new.adoc @@ -37,7 +37,7 @@ a| a| [discrete] -==== Org isolation for per-org SAML and OIDC authentication +==== #Org isolation for per-org SAML and OIDC authentication# ThoughtSpot now enforces strict org isolation when users authenticate through a per-org identity provider (IdP). When a per-org IdP sends SAML or OIDC group claims that reference Orgs outside its authorized scope, ThoughtSpot silently drops those claims and records them as security audit events. This prevents a rogue IdP administrator in one Org from using group assertions to gain unauthorized access to another Org. Existing manually-assigned org memberships are unaffected. --- From 9f2474fc53d1e386525f4a6a445de0b0c62fb9ac Mon Sep 17 00:00:00 2001 From: Rani Gangwar Date: Tue, 16 Jun 2026 12:57:03 +0530 Subject: [PATCH 3/3] typos --- modules/ROOT/pages/configure-saml.adoc | 2 +- modules/ROOT/pages/just-in-time-provisioning.adoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/ROOT/pages/configure-saml.adoc b/modules/ROOT/pages/configure-saml.adoc index d17a5eb8f..e1965d2c4 100644 --- a/modules/ROOT/pages/configure-saml.adoc +++ b/modules/ROOT/pages/configure-saml.adoc @@ -284,7 +284,7 @@ You can map your SAML groups,or groups and Orgs from your IdP to your ThoughtSpo Refer to link:https://docs.thoughtspot.com/cloud/latest/saml-group-mapping[Configure SAML group mapping, window=_blank]. [#update-idp-cert-iamv2] -=== #Update your IdP certificate# +=== Update your IdP certificate If your IdP certificate expires or is rotated, you can update it in the ThoughtSpot UI. ThoughtSpot IAMv2 supports self-serve certificate management — changes take effect immediately after you save. diff --git a/modules/ROOT/pages/just-in-time-provisioning.adoc b/modules/ROOT/pages/just-in-time-provisioning.adoc index cc0a364fc..822bc6ea8 100644 --- a/modules/ROOT/pages/just-in-time-provisioning.adoc +++ b/modules/ROOT/pages/just-in-time-provisioning.adoc @@ -180,7 +180,7 @@ In general, the IdP assertion can create a user and add them to existing Thought [NOTE] ==== // SOURCE: SCAL-291968 — OIDCClient.java, OrgUtils.java -*#Per-org IdP claim filtering:#* If your ThoughtSpot cluster uses per-org IdP configuration, ThoughtSpot automatically filters SAML and OIDC group and org claims at login time. Only claims that reference the Org bound to the authenticating IdP are used for JIT provisioning. Claims referencing other Orgs are dropped and logged as security audit events. This behavior ensures that a per-org IdP cannot be used to provision users into Orgs it is not authorized to manage. +#If your ThoughtSpot cluster uses per-org IdP configuration, ThoughtSpot automatically filters SAML and OIDC group and org claims at login time. Only claims that reference the Org bound to the authenticating IdP are used for JIT provisioning. Claims referencing other Orgs are dropped and logged as security audit events. This behavior ensures that a per-org IdP cannot be used to provision users into Orgs it is not authorized to manage.# For more information, see xref:configure-saml.adoc#per-org-idp-org-isolation[Org isolation for per-org IdP authentication]. ====