How to Configure Single Sign-On with Bitium

For the security of your SaaS-based infrastructure and the convenience of users in your organization, the ThousandEyes service offers login via single sign-on (SSO). ThousandEyes supports SAML2-based identity providers for single sign-on. There are two steps to set up single sign-on:

  1. Identity provider configuration, done within your SSO system (in this article we use Bitium)

  2. Service provider configuration, which is done within ThousandEyes using one of the following options:

    • Static Configuration: Requires manual setting of the parameters.

    • Imported Metadata Configuration: A metadata file is used to configure the parameters.

    • Dynamic Configuration: A URL is used to configure the parameters.

Prerequisites

Configuration is normally simple. Here's what you need:

  • ThousandEyes account assigned a role with the Edit security & authentication settings permission

  • A SAML2 identity provider (in this example, Bitium)

Identity Provider Configuration

  1. Log in to the Bitium Admin Console, and go to Manage ThousandEyes > Manage Apps

  2. If the ThousandEyes app is not installed, click the Add an App button, search for ThousandEyes and click the ThousandEyes app to get it installed. If prompted, select Single Sign-On with SAML Authentication.

  3. From the Manage ThousandEyes > Manage Apps page, select ThousandEyes from the list of installed apps, then click on the Single Sign-On tab and select SAML Authentication from the drop-down menu.

  4. The following screenshot highlights the values which will be used in the ThousandEyes Security & Authentication tab, as explained in the following sections. Copy these values.

  5. Depending on the type of single sign-on configuration that you would like to use, download the related file:

    • For ThousandEyes Static Configuration: Download the X.509 Certificate file.

    • For ThousandEyes Imported Metadata Configuration: download the Metadata XML file.

    • For ThousandEyes Dynamic Configuration: annotate the Metadata URL.

ThousandEyes (Service Provider) Configuration

Static Configuration

Follow these steps to configure your ThousandEyes organization to use single sign-on:

  1. Log into ThousandEyes using an account with a role that has the Edit security & authentication settings permission.

  2. Open the Account Settings page and select the Security & Authentication tab.

  3. Check the Enable Single Sign-On box.

  4. Click the Static Configuration button.

  5. Configure the Setup Single Sign-On fields according to the following settings and click the Save button.

    Field

    Value

    Login Page URL

    The Login URL from Step 4 in the Identity Provider configuration section above

    Logout Page URL

    The Logout URL from Step 4 in the Identity Provider configuration section above

    Identity Provider Issuer

    The Entity ID from Step 4 in the Identity Provider configuration section above

    Service Provider Issuer

    https://app.thousandeyes.com

    Verification Certificate

    The X.509 certificate downloaded at Step 5 in the Identity Provider configuration section above

IMPORTANT: Ensure that the Service Provider Issuer field reflects the value set by the identity provider in the AudienceRestriction element of the SAML response. Any mismatch, including a protocol mismatch (http vs https) will cause the request to be rejected.

NOTE: The Logout Page URL is optional. If used, the URL should point to the page you wish your users to see when logging out of ThousandEyes.

Imported Metadata Configuration

Follow these steps to configure your ThousandEyes organization to use single sign-on:

  1. Log into ThousandEyes using an account with a role that has the Edit security & authentication settings permission.

  2. Open the Account Settings page and click the Security & Authentication tab.

  3. Check the Enable Single Sign-On box.

  4. Click the Imported Metadata Configuration button.

  5. Click the Import File button and upload the Metadata XML File downloaded at Step-5 of the Identity Provider configuration section. The configuration section should populate with the SSO parameters (see screenshot below).

  6. Click the Save button.

Dynamic Configuration

Follow these steps to configure your ThousandEyes organization to use single sign-on:

  1. Log into ThousandEyes using an account with a role that has the Edit security & authentication settings permission.

  2. Open the Account Settings page and click the Security & Authentication tab.

  3. Check the Enable Single Sign-On box.

  4. Click the Dynamic Configuration button.

  5. In the IdP Metadata URL box paste the Metadata URL obtained at Step-5 of the Identity Provider configuration section. The configuration section should populate with the SSO parameters (see screenshot below).

  6. Click the Save button.