For the security of your SaaS-based infrastructure and the convenience of users in your organization, ThousandEyes offers login via single sign-on (SSO). ThousandEyes supports SAML 2.0-based SSO.
Within ThousandEyes, SSO configuration is done in the Security & Authentication section under the Organization tab of Account Settings. The following information from your Identity Provider (IdP) must be supplied to ThousandEyes in order to get SSO working:
Login URL for your SAML provider
Logout URL for your SAML provider (optional)
Identity Provider Issuer
Service Provider Issuer
There are three methods to set these options:
Each parameter needs to be supplied manually, including verification certificate(s).
Imported Metadata Configuration
ThousandEyes will parse a user-supplied metadata XML file and load the parameters.
ThousandEyes will parse a metadata file from a provided URL on demand (for each user login).
If XML metadata loading is supported by your Identity Provider, you can use our Service Provider (SP) metadata file available at the following URL: https://app.thousandeyes.com/saml-metadata
Alternatively, manual configuration of your Identity Provider can be performed. The following information lists the characteristics of ThousandEyes as a SAML Service Provider:
ThousandEyes supports both Service-Provider-initiated (i.e. ThousandEyes login page initiated) and Identity-Provider-Initiated (i.e. clicking a link from inside the customer portal) based logins
ThousandEyes post-back URL: https://app.thousandeyes.com/login/sso/acs
SAML Assertion NameID (unspecified or emailAddress format): Email address of user to be authenticated (must be already registered in ThousandEyes).
If a valid email address (as registered in ThousandEyes) is not found in the NameID field, the assertion will be parsed for additional name claims.
Request Compression: Yes
Audience Restriction: https://app.thousandeyes.com
Note: When using static configuration, the Audience Restriction configured in your Identity Provider's configuration must exactly match the value set for the Service Provider Issuer field in ThousandEyes. Any mismatch, including a protocol mismatch (http:// vs https://) and trailing slashes will cause the request to be rejected. When using dynamic or imported metadata configurations, make sure you configure your IdP to use https://app.thousandeyes.com as the Audience Restriction.
AssertionConsumerService URL: https://app.thousandeyes.com/login/sso/acs
ThousandEyes parses the email (our primary identifier of users) on the SamlResponse created by your Identity Provider. We require that you configure your IdP to supply a registered user's email address in one of the following attributes of the assertion (failure to find a registered email address in any of these attributes will break the SSO process):
NameID in the format "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”
NameID in the format "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
Attribute "emailaddress" (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\
Attribute "name" (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\
Make sure that at least one of the uploaded verification certificates is an exact match of what is being used to sign the SamlResponse assertion.
Verify that the AudienceRestriction configured in your IDP is an exact match of the service provider issuer string within ThousandEyes SSO configuration.
ThousandEyes supports the use of any SAML 2.0-based identity provider for single-sign on. Vendor-specific configuration examples can be found in the following articles: