Transaction Test SSO Support

ThousandEyes browser synthetics tests can support some forms of SSO Authentication, including Security Assertion Markup Language (SAML), OpenID Connect, and OAuth 2.0. However, we are limited as to which authentication mechanisms we can implement.

We can perform SSO when the following mechanisms are used to authenticate the user:

  • Interactive input field, such as a login page

  • Basic HTTP Authentication

  • NTLM

  • Kerberos

  • TOTP

  • Secret question / answer

  • Simple CAPTCHA such as text-based math problems

We cannot perform SSO if any of the following mechanisms are required to authenticate the user:

  • Notification push app

  • Proprietary OTP apps that do not use the TOTP algorithm

  • Hardware OTP tokens such as SecurID

  • WebAuthn (an API standard that supports passwordless authentication including hardware and biometric solutions on the user’s end device, such as fingerprint scans, face scans, retina scans, or YubiKey)

  • Client certificate

  • Image CAPTCHA such as “choose all the squares in this 4x4 image grid that contain a motorcycle”

  • Phone call

We can potentially implement:

  • Email OTP, if your organization will allow a ThousandEyes agent to log in to their webmail service via an API, in order to fetch the email.

  • SMS OTP if your organization is able to set up a third-party SMS relay using an API

You can monitor and interact with arbitrary API endpoints from within a transaction script. For example making HTTP requests, or initiating TCP or TLS connections directly from the transaction script’s execution environment. See the API Monitoring pages for more information.

How MFA is Supported

MFA is ultimately designed to ensure that a human (and the right human) is logging into a site, rather than a machine. ThousandEyes agents, including the BrowserBot component that runs transaction tests, are essentially machines. MFA is literally meant to prevent automation from accessing your site or service, and thus implementing complex sign-on workflows inside of a transaction test is always going to be challenging.

When setting up a service account user for ThousandEyes transaction tests to access your site, your InfoSec team may want to include some additional steps for MFA. In this scenario, we can potentially support TOTP via an API that generates a Time-Based One-Time Password (TOTP) token which is given the authentication secret.

This is an API within the node-js JavaScript runtime environment, in which the ThousandEyes Cloud or Enterprise Agent runs the transaction tests. To use it you import a module, and call a function, with some specific inputs. See this scripting link for an example.

See TOTP Examples for SSO for a few specific use cases involving Google Authenticator, Microsoft, and Salesforce.

Last updated