Configure SSO with Cisco Account

Any information provided in this document regarding future functionalities is for informational purposes only and is subject to change including ceasing any further development of such functionality. Many of these future functionalities remain in varying stages of development and will be offered on a when-and-if available basis, and Cisco makes no commitment as to the final delivery of any of such future functionalities. Cisco will have no liability for Cisco's failure to deliver any or all future functionalities and any such failure would not in any way imply the right to return any previously purchased Cisco products.

This guide shows you how to set up Single Sign-On (SSO) in ThousandEyes using Cisco account as your identity provider (IdP). With SSO, your users can access ThousandEyes using the same credentials they use elsewhere in your organization.

SSO improves security and simplifies user access by letting your identity provider manage authentication. ThousandEyes supports multiple IdPs in a single organization, so you can configure routing rules to control how users are authenticated based on their email domain or other attributes.

How It Works

Single Sign-On (SSO) allows users to access ThousandEyes using credentials managed by your Identity Provider (IdP). When a user attempts to log in, ThousandEyes redirects them to the IdP for authentication. You can choose from two authentication options for your IdP setup:

  • SAML: Configure SAML to exchange metadata between the IdP and ThousandEyes securely. SAML is required for all SAML-based integrations.

ThousandEyes supports only SAML 2.0. Earlier versions of the protocol are not compatible.

  • OpenID Connect (OIDC): Configure OpenID Connect to authenticate users using the OAuth 2.0 framework. You can optionally map a unique identifier to each ThousandEyes account.

Related Procedures

To continue your SSO setup, you can also see these related procedures:

Prerequisites

  • You must have ThousandEyes Organization Admin permissions. For more information on permissions, see Role-Based Access, Explained.

  • You must have a metadata file from the IdP to provide to ThousandEyes and a metadata file from ThousandEyes to provide to the IdP. For more information, see the Identity Provider Setup section below. This is only applicable to the SAML configuration.

  • Plan your routing rules behavior before setting up multiple IdPs.

Identity Provider Setup

Log in to your chosen IdP and follow the prompts to configure a new service provider (SP).

Below are links to SP configuration documentation for popular SAML 2.0-based IdPs:

Each IdP has a different process for setting up SSO on their system. However, the following steps are common among the above IdPs:

  1. Find and select the ThousandEyes application in the IdP’s application or service provider (SP) directory.

    Some IdPs may require you to manually add the ThousandEyes application.

  2. For static configuration:

    • Enter the necessary parameter settings in the required fields (refer to the IdP Configuration Details section).

    • Take note of any SSO URLs or Entity IDs generated during this step — they will be needed in the SP configuration.

  3. Download a certificate or metadata:

    • For static configuration: download a verification certificate.

    • For imported metadata configuration: download the metadata file to upload to ThousandEyes.

  4. Configure SSO for your users:

    This step may occur at different points in the IdP setup process—even after the ThousandEyes configuration is complete.

Configure SAML

SAML 2.0 is required for all SAML-based integrations with ThousandEyes. SAML provides a structured framework that allows IdPs and service providers to communicate with each other, making federated identity and single sign-on possible and efficient. You have a choice when setting up a SAML IdP. You can manually enter your IdP's metadata or directly upload the metadata to the admin portal.

  1. In ThousandEyes, go to Manage > Account Settings > Organization Settings.

  2. In the Single Sign-On (SSO) section, click Go to admin portal.

  3. In the Cisco Identity portal, go to Settings > Manage IdPs.

  4. Click + Add an IDP.

  5. Select SAML as your IdP and click Next.

  6. Select one of the following methods to connect your identity provider (IdP).

    • Fill out configuration form — Manually enter your IdP's metadata.

    • Upload your IdP's metadata — Upload an XML file containing your IdP's metadata.

  7. If you select Fill out the configuration form, do the following:

    1. Enter your Entity ID (SAML Identifier).

    2. Enter your Single sign-on URL.

    3. Select a binding method: HTTP-Post or HTTP-Redirect.

    4. (Optional) Enter your Single sign-out URL.

    5. (Optional) Select a binding method: HTTP-Post or HTTP-Redirect.

    6. Click the checkbox to enable Sign SAML request.

      Select this checkbox if your IdP requires authentication requests from ThousandEyes to be signed.

    7. Select a NameID format.

      You can select from the following options:

      • urn:oasis:names:tc:SAML1.1:nameid-format:emailAddress (default): This format uses your email address as your NameID.

      • urn:oasis:names:tc:SAML2.0:nameid-format:transient: This format generates a temporary, one-time NameID for each authentication.

      • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified: This format indicates that no specific NameID format is requested, leaving it to your IdP to determine or default to an appropriate format.

    8. Upload your IdP certificate files.

      Upload up to two IdP certificate files (in .pem or .cer format), if your IdP uses multiple signing certificates.

    9. Click Next.

  8. If you select Upload your IdP’s metadata, do the following:

    1. Upload an XML file containing your IdP’s metadata.

      When uploading the metadata file, there are two ways to validate the metadata from the Customer IdP:

      • Not signed, self-signed, or private CA-signed IdP metadata file: Your IdP provides a self-signed private CA or doesn’t provide a signature for their metadata. This option is less secure.

      • Signed by a public certificate authority: Your IdP provides a signature in the metadata that is signed by a Public Root CA.

    2. Click Next.

  9. (Optional) Configure SAML attributes and settings.

    The SAML identity provider (IdP), by default, uses the uid attribute to identify the user when sending authentication data to ThousandEyes. If the IdP supports other NameID configurations, you can modify this configuration.

  10. Click Add IdP.

    If this is the first IdP you have configured, the IdP is saved as your default IdP, and a default routing rule is created.

Consider adding a break glass routing rule for added protection.

Configure OpenID Connect

Use OpenID Connect (OIDC) to set up Single Sign-On (SSO) in ThousandEyes using your identity provider. OIDC is built on the OAuth 2.0 framework and supports secure authentication through encrypted tokens and built-in certificate validation.

When you set up OpenID Connect with Entra ID or an IdP where the email isn’t a permanent identifier, we recommend that you use the externalId linking attribute to map to a unique identifier. For Entra ID, we suggest mapping OIDC to externalId. If the email you enter doesn’t match the linking attribute, you’re prompted to verify your identity or create a new user with the correct email address.

  1. In ThousandEyes, go to Manage > Account Settings > Organization Settings.

  2. In the Single Sign-On (SSO) section, click Go to admin portal.

  3. In the Cisco Identity portal, go to Settings > Manage IdPs.

  4. Click + Add an IDP.

  5. Select OpenID Connect as your IdP and click Next.

  6. Enter your IdP information.

    1. Enter your IdP Name.

    2. Enter your Client ID.

      The unique ID to identify you and your IdP.

    3. Enter your Client Secret.

      This is the password that you and your IdP know.

    4. Select the scopes you want to associate with your IdP.

      OpenID and Email are selected by default.

  7. Choose how to add endpoints.

    You can select from the following:

    • Use the discovery URL.

      Enter the discovery URL for your IdP. This URL will automatically populate the necessary endpoints for OIDC single logout (SLO).

    • Manually add all endpoint information.

      Select this option if your IdP doesn’t support discovery URLs. You’ll be prompted to enter each endpoint manually. Fill in the following fields:

      • Issuers (comma-separated) – Enter one or more issuer URIs, separated by commas.

      • Authorization endpoint – URL used to initiate the authorization flow.

      • Token endpoint – URL to retrieve access tokens.

      • JWKS URI – (Optional) URL to retrieve the JSON Web Key Set.

      • Userinfo endpoint – (Optional) URL to retrieve user profile information.

      • End session endpoint – (Optional) URL to support single sign-out.

  8. (Optional) Check Allow the session to automatically sign out if you want to enable automatic sign-out.

  9. Click Add IdP.

    If this is the first IdP you have configured, the IdP is saved as your default IdP and a default routing rule is created.

Consider adding a break glass routing rule for added protection.

Edit an IdP Configuration

  1. In ThousandEyes, go to Manage > Account Settings > Organization Settings.

  2. In the Single Sign-On (SSO) section, click Go to admin portal.

  3. In the Cisco Identity portal, go to Settings > Manage IdPs.

  4. Next to the IdP you want to edit, click the ... icon.

  5. Click Edit IdP.

  6. Update the IdP configuration, and then click Save.

Delete an Identity Provider

Before deleting an IdP, you must deactivate or delete its routing rules. Deleting an IdP that has active routing rules can deactivate SSO for your organization. For more details, see Deactivate or Delete Routing Rules.

  1. In ThousandEyes, go to Manage > Account Settings > Organization Settings.

  2. In the Single Sign-On (SSO) section, click Go to admin portal.

  3. In the Cisco Identity portal, go to Settings > Manage IdPs.

  4. Next to the IdP you want to delete, click the ... icon.

  5. Click Delete.

  6. To confirm, click Delete IdP.

Next Steps

  • Configure Routing Rules: It’s strongly recommended that you create a break glass routing rule to ensure at least one user or group can log in with a password if the assigned IdP becomes unavailable.

  • Verify Your Domain - Verify your domains and subdomains to confirm ownership within ThousandEyes.

  • Test your SSO setup: Verify that your SSO integration is working correctly before going live.

PreviousHow to Configure Single Sign-OnNextConfigure Routing Rules

Last updated