Configure SSO with Cisco Account
Any information provided in this document regarding future functionalities is for informational purposes only and is subject to change including ceasing any further development of such functionality. Many of these future functionalities remain in varying stages of development and will be offered on a when-and-if available basis, and Cisco makes no commitment as to the final delivery of any of such future functionalities. Cisco will have no liability for Cisco's failure to deliver any or all future functionalities and any such failure would not in any way imply the right to return any previously purchased Cisco products.
This guide shows you how to set up Single Sign-On (SSO) in ThousandEyes using Cisco account as your identity provider (IdP). With SSO, your users can access ThousandEyes using the same credentials they use elsewhere in your organization.
SSO improves security and simplifies user access by letting your identity provider manage authentication. ThousandEyes supports multiple IdPs in a single organization, so you can configure routing rules to control how users are authenticated based on their email domain or other attributes.
How it Works
Single Sign-On (SSO) lets users sign in to ThousandEyes using credentials managed by an identity provider (IdP). When a user signs in, ThousandEyes evaluates routing rules to determine which IdP to use and redirects the user to that IdP for authentication.
To maintain access during setup or testing, create a break glass routing rule. This ensures that at least one administrator can sign in using a Cisco account password if an IdP is unavailable or misconfigured.
In this process:
Create and test the break glass rule first: Add yourself to the associated group and verify local Cisco account sign-in before applying routing rules broadly.
Verified identity claims are required: ThousandEyes only supports IdPs that send a stable and verified claim for each user to ensure secure authentication. Some IdPs do not provide a verified claim when using OpenID Connect. In these cases, configure SAML to meet security requirements.
Supported Authentication Protocols
ThousandEyes supports the following authentication protocols for SSO.
SAML Configure SAML to securely exchange authentication metadata between your IdP and ThousandEyes. SAML 2.0 is required for all SAML-based integrations.
OpenID Connect (OIDC) Configure OpenID Connect to authenticate users using the OAuth 2.0 framework. You can optionally map a unique identifier to each ThousandEyes account.
Related Procedures
To continue your SSO setup, you can also see these related procedures:
Configure Routing Rules — Define how authentication requests are routed based on domain or email patterns. It is recommended you add a break glass routing rule for added protection.
Verify Your Domain - Verify your domains and subdomains to confirm ownership within ThousandEyes.
Test Your SSO Setup — Verify that your SSO integration is working correctly before going live.
Manage Service Provider (SP) Certificates — Add or download SP certificates used in SAML integrations.
Prerequisites
You must have ThousandEyes Organization Admin permissions. For more information on permissions, see Role-Based Access, Explained.
Before enabling or modifying SSO routing rules, configure and test a break glass routing rule that allows at least one administrator to sign in using local Cisco account credentials. For details, see Add a Break Glass Routing Rule.
You must have a metadata file from the IdP to provide to ThousandEyes and a metadata file from ThousandEyes to provide to the IdP. For more information, see the Identity Provider Setup section below. This is only applicable to the SAML configuration.
Plan your routing rules behavior before setting up multiple IdPs.
Identity Provider Setup
Log in to your chosen IdP and follow the prompts to configure a new service provider (SP).
Below are links to SP configuration documentation for popular SAML 2.0-based IdPs:
Each IdP has a different process for setting up SSO on their system. However, the following steps are common among the above IdPs:
Find and select the ThousandEyes application in the IdP’s application or service provider (SP) directory.
Some IdPs may require you to manually add the ThousandEyes application.
For static configuration:
Enter the necessary parameter settings in the required fields (refer to the IdP Configuration Details section).
Take note of any SSO URLs or Entity IDs generated during this step — they will be needed in the SP configuration.
Download a certificate or metadata:
For static configuration: download a verification certificate.
For imported metadata configuration: download the metadata file to upload to ThousandEyes.
Configure SSO for your users:
This step may occur at different points in the IdP setup process—even after the ThousandEyes configuration is complete.
Configure SAML
SAML 2.0 is required for all SAML-based integrations with ThousandEyes. SAML provides a structured framework that allows IdPs and service providers to communicate with each other, making federated identity and single sign-on possible and efficient. You have a choice when setting up a SAML IdP. You can manually enter your IdP's metadata or directly upload the metadata to the admin portal.
In ThousandEyes, go to Manage > Account Settings > Organization Settings.
In the Single Sign-On (SSO) section, click Go to admin portal.
In the Cisco Identity portal, go to Settings > Manage IdPs.
Click + Add an IDP.
Select SAML as your IdP and click Next.
Select one of the following methods to connect your identity provider (IdP).
Fill out configuration form — Manually enter your IdP's metadata.
Upload your IdP's metadata — Upload an XML file containing your IdP's metadata.
If you select Fill out the configuration form, do the following:
Enter your Entity ID (SAML Identifier).
Enter your Single sign-on URL.
Select a binding method: HTTP-Post or HTTP-Redirect.
(Optional) Enter your Single sign-out URL.
(Optional) Select a binding method: HTTP-Post or HTTP-Redirect.
Click the checkbox to enable Sign SAML request.
Select this checkbox if your IdP requires authentication requests from ThousandEyes to be signed.
Select a NameID format.
You can select from the following options:
urn:oasis:names:tc:SAML1.1:nameid-format:emailAddress(default): This format uses your email address as your NameID.urn:oasis:names:tc:SAML2.0:nameid-format:transient: This format generates a temporary, one-time NameID for each authentication.urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified: This format indicates that no specific NameID format is requested, leaving it to your IdP to determine or default to an appropriate format.
Upload your IdP certificate files.
Upload up to two IdP certificate files (in
.pemor.cerformat), if your IdP uses multiple signing certificates.Click Next.
If you select Upload your IdP’s metadata, do the following:
Upload an XML file containing your IdP’s metadata.
When uploading the metadata file, there are two ways to validate the metadata from the Customer IdP:
Not signed, self-signed, or private CA-signed IdP metadata file: Your IdP provides a self-signed private CA or doesn’t provide a signature for their metadata. This option is less secure.
Signed by a public certificate authority: Your IdP provides a signature in the metadata that is signed by a Public Root CA.
Click Next.
(Optional) Configure SAML attributes and settings.
The SAML identity provider (IdP), by default, uses the uid attribute to identify the user when sending authentication data to ThousandEyes. If the IdP supports other NameID configurations, you can modify this configuration.
Click Add IdP.
If this is the first IdP you have configured, the IdP is saved as your default IdP, and a default routing rule is created.
Consider adding a break glass routing rule for added protection.
Configure OpenID Connect
Use OpenID Connect (OIDC) to set up Single Sign-On (SSO) in ThousandEyes using your identity provider. OIDC is built on the OAuth 2.0 framework and supports secure authentication through encrypted tokens and built-in certificate validation.
When you set up OpenID Connect with Entra ID or an IdP where the email isn’t a permanent identifier, we recommend that you use the externalId linking attribute to map to a unique identifier. For Entra ID, we suggest mapping OIDC to externalId. If the email you enter doesn’t match the linking attribute, you’re prompted to verify your identity or create a new user with the correct email address.
In ThousandEyes, go to Manage > Account Settings > Organization Settings.
In the Single Sign-On (SSO) section, click Go to admin portal.
In the Cisco Identity portal, go to Settings > Manage IdPs.
Click + Add an IDP.
Select OpenID Connect as your IdP and click Next.
Enter your IdP information.
Enter your IdP Name.
Enter your Client ID.
The unique ID to identify you and your IdP.
Enter your Client Secret.
This is the password that you and your IdP know.
Select the scopes you want to associate with your IdP.
OpenID and Email are selected by default.
Choose how to add endpoints.
You can select from the following:
Use the discovery URL.
Enter the discovery URL for your IdP. This URL will automatically populate the necessary endpoints for OIDC single logout (SLO).
Manually add all endpoint information.
Select this option if your IdP doesn’t support discovery URLs. You’ll be prompted to enter each endpoint manually. Fill in the following fields:
Issuers (comma-separated) – Enter one or more issuer URIs, separated by commas.
Authorization endpoint – URL used to initiate the authorization flow.
Token endpoint – URL to retrieve access tokens.
JWKS URI – (Optional) URL to retrieve the JSON Web Key Set.
Userinfo endpoint – (Optional) URL to retrieve user profile information.
End session endpoint – (Optional) URL to support single sign-out.
(Optional) Check Allow the session to automatically sign out if you want to enable automatic sign-out.
Click Add IdP.
If this is the first IdP you have configured, the IdP is saved as your default IdP and a default routing rule is created.
Consider adding a break glass routing rule for added protection.
Edit an IdP Configuration
In ThousandEyes, go to Manage > Account Settings > Organization Settings.
In the Single Sign-On (SSO) section, click Go to admin portal.
In the Cisco Identity portal, go to Settings > Manage IdPs.
Next to the IdP you want to edit, click the
...icon.Click Edit IdP.
Update the IdP configuration, and then click Save.
Delete an Identity Provider
Before deleting an IdP, you must deactivate or delete its routing rules. Deleting an IdP that has active routing rules can deactivate SSO for your organization. For more details, see Deactivate or Delete Routing Rules.
In ThousandEyes, go to Manage > Account Settings > Organization Settings.
In the Single Sign-On (SSO) section, click Go to admin portal.
In the Cisco Identity portal, go to Settings > Manage IdPs.
Next to the IdP you want to delete, click the
...icon.Click Delete.
To confirm, click Delete IdP.
Next Steps
Configure Routing Rules: It’s strongly recommended that you create a break glass routing rule to ensure at least one user or group can log in with a password if the assigned IdP becomes unavailable.
Verify Your Domain - Verify your domains and subdomains to confirm ownership within ThousandEyes.
Test your SSO setup: Verify that your SSO integration is working correctly before going live.
Last updated