# Configure Routing Rules {% hint style="info" %} Any information provided in this document regarding future functionalities is for informational purposes only and is subject to change including ceasing any further development of such functionality. Many of these future functionalities remain in varying stages of development and will be offered on a when-and-if available basis, and Cisco makes no commitment as to the final delivery of any of such future functionalities. Cisco will have no liability for Cisco's failure to deliver any or all future functionalities and any such failure would not in any way imply the right to return any previously purchased Cisco products. {% endhint %} Routing rules apply when setting up more than one IdP. They tell ThousandEyes which identity provider to use for each user. Rules are evaluated in list order, and the first rule that matches the user is applied. There is no secondary evaluation and no automatic fallback to another IdP or to local authentication if a login fails or if an IdP is unreachable. Put the rule you want to take effect for a given user above any broader rule that would otherwise match them. ## Add a Break Glass Routing Rule (Dedicated Local Authentication Only) {% hint style="info" %} Before you activate SSO, complete the steps below first for administrators who must use local Cisco credentials only. Order rules so those users match this rule before any rule that sends them to an external IdP. That limits the risk of administrative lockout during SSO setup or IdP outages. It does not add fallback behavior for users matched by a different rule first. {% endhint %} A break glass routing rule is a group-based rule that sends designated users (for example, administrators) to log in with local Cisco account credentials when this rule is their first match. Those users are not redirected to an external IdP and are not offered a choice between external SSO and local login. 1. In ThousandEyes, navigate to **Manage > Account Settings > Organization Settings**. 2. In the Single Sign-On (SSO) section, click **Go to admin portal**. 3. (Optional) If you don’t have a group, create a group. 1. In the Cisco Identity portal, navigate to **Groups** on the left-hand panel. 2. Click **+ Create a Group**. 3. Enter a name for your group. 4. (Optional) Enter a description for your group. 5. Add group members. Click the dropdown and select organization members to add to your group. You can add up to 500 group members. 6. Click **Create group**. 4. Navigate to **Settings > Manage IdPs**. 5. Under the **Routing Rules** tab, click **+ Add a new routing rule**. 6. Enter a **Rule Name**. 7. Click the **Select a routing type** dropdown and select **Group**. 8. Click the **If these are your groups** dropdown and select your groups. 9. Click the **Then use this identity provider** dropdown and select **Cisco IdP**. 10. Click **Add**. ## Add a New Routing Rule 1. In ThousandEyes, navigate to **Manage > Account Settings > Organization Settings**. 2. In the Single Sign-On (SSO) section, click **Go to admin portal**. 3. In the Cisco Identity portal, click **Settings > Manage IdPs**. {% hint style="info" %} When configuring your first IdP, the routing rule is automatically added and is set as the default rule. You can select another IdP to set as the default rule later. {% endhint %} 4. Under the **Routing Rules** tab, click **+ Add a new routing rule**. 5. Enter the details for a routing rule: * **Rule Name**: Enter a name for the routing rule. * **Select a routing type**: Click the dropdown and select domain or group. If you select **Domain**, your domain must be verified. For more information, see [Verify Your Domains](https://docs.thousandeyes.com/product-documentation/user-management/authentication/configure-sso-with-cisco-account/verify-domains). * **If these are your domains/groups**: Click the dropdown and select domains/groups within your organization. * **Then use this identity provider**: Click the dropdown and select IdP. ![](https://1112912342-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M4QARF6s57qxMrOHDTZ%2Fuploads%2Fgit-blob-635668e234c00b74e694b43c17688e18c3cc9bdd%2Fconfigure-new-routing-rules.png?alt=media) 6. Click **Add**. 7. Click the `...` icon next to your new routing rule, then click **Activate**. ## Edit a Routing Rule 1. In ThousandEyes, navigate to **Manage > Account Settings > Organization Settings**. 2. In the Single Sign-On (SSO) section, click **Go to admin portal**. 3. In the Cisco Identity portal, click **Settings > Manage IdPs**. 4. Under the **Routing Rules** tab, click the `...` icon next to the rule you want to modify and select **Edit routing rule**. ![](https://1112912342-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M4QARF6s57qxMrOHDTZ%2Fuploads%2Fgit-blob-47e42985e3c5ecc32ce574c8af1db2ffd29bd8c7%2Fedit-routing-rules.png?alt=media) 5. Make the desired changes to the routing rule and click **Save**. ## Deactivate or Delete Routing Rules {% hint style="info" %} The **Default rule** can’t be deactivated or deleted, but you can modify the routed IdP. {% endhint %} 1. In ThousandEyes, navigate to **Manage > Account Settings > Organization Settings**. 2. In the Single Sign-On (SSO) section, click **Go to admin portal**. 3. In the Cisco Identity portal, click **Settings > Manage IdPs**. 4. Under the **Routing Rules** tab, click the `...` icon next to the rule you want to modify and select **Edit routing rule**. 5. Select one of the following: * **Deactivate**: Preserve the routing rule's configuration for future use. * **Delete**: Permanently remove the selected rule from the list of routing rules. {% hint style="info" %} Make sure you have at least one active routing rule for the IdP. Otherwise, you might run into problems with your SSO login. {% endhint %} ## Next Steps [Test your SSO Setup](https://docs.thousandeyes.com/product-documentation/user-management/authentication/configure-sso-with-cisco-account/test-your-sso-setup)