From 7fc28ab22657d659041bca182b35ca3143e89b24 Mon Sep 17 00:00:00 2001 From: Bryant Howell - ThoughtSpot <83678239+bryanthowell-ts@users.noreply.github.com> Date: Mon, 26 Jan 2026 12:20:36 -0600 Subject: [PATCH 1/3] Update orgs.adoc Added Per Org Subdomain section since it is has come up multiple times recently with MCP Server and multi-IdP IAMV2 clusters --- modules/ROOT/pages/orgs.adoc | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/modules/ROOT/pages/orgs.adoc b/modules/ROOT/pages/orgs.adoc index ad659fbad..ed30ef3b6 100644 --- a/modules/ROOT/pages/orgs.adoc +++ b/modules/ROOT/pages/orgs.adoc @@ -154,6 +154,23 @@ The Org ID will be passed in the URL depending on the placement of `{ts-query-pa * The `overrideOrgId` parameter may not work properly with trusted authentication (`AuthType.TrustedAuthToken`) or cookieless authentication (`AuthType.TrustedAuthTokenCookieless`), if `tokenAuthPerOrg` is already enabled on your ThoughtSpot instance. ==== +==== Per Org Subdomain + +[earlyAccess eaBackground]#Early Access# + +"Per Org Subdomain" can be requested to be enabled via a support ticket. Once this feature is turned on, every Org will automatically have a subdomain generated on the pattern: + + ..thoughtspot.cloud + +Per Org Subdomain is used for identifying a specific Org to a login process for users who belongs to multiple Orgs on the same instance, bypassing the Org selection UI. In particular, OIDC flows for MCP Server or instances with multiple IdPs per Org can be benefit from using Per Org Subdomain. + +Going to the the specific subdomain for an Org will trigger a redirect to the Org's configured IdP auto-redirect to IdP is configured for the cluster. Auto-redirect to SSO IdP is a separate cluster level config that must be requested via ticket to ThoughtSpot support. + +[NOTE] +==== +When using Per Org Subdomain, all org names need to be DNS friendly; otherwise, ThoughtSpot will throw errors. You should review your Org names prior to the request and make sure they don't have spaces or other strange characters. +==== + == Feature availability on a multi-tenant instance On an Orgs-enabled cluster, certain UI and API operations are allowed only at the cluster level. The following table lists the features and configuration operations allowed at the cluster or individual Org level. From 1e146b0b07b0be1488198028bf3f1efdc58611f7 Mon Sep 17 00:00:00 2001 From: Bryant Howell - ThoughtSpot <83678239+bryanthowell-ts@users.noreply.github.com> Date: Mon, 26 Jan 2026 12:25:43 -0600 Subject: [PATCH 2/3] Update embed-authentication.adoc Added note and link about Per Org Subdomain --- modules/ROOT/pages/embed-authentication.adoc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/ROOT/pages/embed-authentication.adoc b/modules/ROOT/pages/embed-authentication.adoc index ec2fdd8dc..d91ccc856 100644 --- a/modules/ROOT/pages/embed-authentication.adoc +++ b/modules/ROOT/pages/embed-authentication.adoc @@ -71,6 +71,11 @@ a| Do not use this method if you don’t want the SDK to redirect your entire ap * This authentication will fail if multifactor authentication (MFA) is enabled on your ThoughtSpot instance. Contact https://community.thoughtspot.com/customers/s/login/?ec=302&startURL=%2Fcustomers%2Fs%2Fcontactsupport[ThoughtSpot Support] for assistance. |===== +[NOTE] +==== +xref:orgs.adoc#per-org-subdomain[Per Org Subdomain] can be enabled to allow Orgs with different IdPs to be identified properly within the authentication flows triggered by the Visual Embed SDK. +==== + == User accounts Many ThoughtSpot features are tied to individual user accounts with a valid email address. xref:just-in-time-provisioning.adoc[Just-In-Time Provisioning] and user management REST APIs make it easy to create and update user accounts as part of the SSO process. From 6695b03c3ace8a199f2de307e51dbb49aec06659 Mon Sep 17 00:00:00 2001 From: Bryant Howell - ThoughtSpot <83678239+bryanthowell-ts@users.noreply.github.com> Date: Mon, 26 Jan 2026 12:29:24 -0600 Subject: [PATCH 3/3] Update mcp-integration.adoc Added note about Per Org Subdomain --- modules/ROOT/pages/mcp-integration.adoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/ROOT/pages/mcp-integration.adoc b/modules/ROOT/pages/mcp-integration.adoc index 6b877e5ae..f2502336c 100644 --- a/modules/ROOT/pages/mcp-integration.adoc +++ b/modules/ROOT/pages/mcp-integration.adoc @@ -72,6 +72,10 @@ To secure communication between the MCP client and the ThoughtSpot instance, adm * Client connection configuration: + MCP Server integration also requires configuration on the client side, typically via a config file, to include the MCP Server addresses, credentials, and other details. +[NOTE] +==== +xref:orgs.adoc#per-org-subdomain[Per Org Subdomain] can be enabled to allow Orgs with different IdPs to be identified properly within the authentication flows. Once enabled, use the appropriate URL with the Org subdomain within the MCP Server configuration to ensure all interactions happen within the context of the desired ThoughtSpot Org. +==== === How it works