How to Configure Single Sign-On with Google G Suite

For the security of your SaaS-based infrastructure and the convenience of users in your organization, the ThousandEyes service offers login via single sign-on (SSO). ThousandEyes supports SAML2-based identity providers (IdPs) for single sign-on. In this configuration example, we use Google's G Suite (formerly Google Apps) as the identity provider.

There are two steps to set up single sign-on:

  1. Identity provider configuration, which is done within your identity provider's system (in this case, Google)

  2. Service provider configuration, which is done within ThousandEyes using one of the following options:

    • Static Configuration: Requires manual settings of the parameters.

    • Imported Metadata Configuration: A metadata file is used to configure the parameters (recommended method).

    • Dynamic Configuration: A URL is used to configure the parameters (not yet supported by G Suite SAML)

Prerequisites

Here's what you need to configure single sign-on:

  • A user in a role with the Edit security & authentication settings permission in ThousandEyes.

  • A G Suite administrator account.

Identity Provider (Google) Configuration

  1. Log in to G Suite using an administrator account.

  2. Open the Admin Console (https://admin.google.com).

  3. Click Apps (Manage apps and their settings).

  4. Click SAML apps.

  5. Click the + icon to configure a new SAML application.

  6. Click SETUP MY OWN CUSTOM APP.

  7. Obtain the Google identity provider information for configuration in ThousandEyes.

    Option 1 is used for static configuration of the Service Provider. Copy and paste the SSO URL and IdP Entity ID values into a separate document, and download the certificate. Then click Next.

    Or

    Option 2 is used for imported metadata configuration of the Service Provider. Download the IDP Metadata file. Then click Next.

Enable the ThousandEyes application for all users by clicking the More Options menu (three vertical dots) and selecting ON for everyone.

Service Provider Configuration

Static Configuration

  1. Log in to ThousandEyes as a user having a role with the Edit security & authentication settings permission.

  2. Go to the Security & Authentication tab of the Account Settings page.

  3. In the Setup Single Sign-On section:

    • Check the Enable Single Sign-On box.

    • Enter the Login Page URL (SSO URL from previous section - step 7).

    • Enter a Logout Page URL (Optional).

    • Enter the Identity Provider Issuer (Entity ID from the previous section - step 7).

    • Enter the Service Provider Issuer (SP Entity ID from the previous section - step 9; do not use the Entity ID from step 7).

    • Click the Choose File button to upload the verification certificate (certificate downloaded from the previous section).

  4. Click Save.

  5. Click Run Single Sign-On Test to verify that the single sign-on works as expected.

Imported Metadata Configuration

Follow these steps to configure your ThousandEyes organization to use single sign-on:

  • Enter the ThousandEyes application information that will be visible with the user's Google environment.

    Description and Upload logo are both optional. The ThousandEyes Media Kit provides a variety of ThousandEyes logos, which can be scaled down to fit within the required dimensions, if needed. A pre-sized logo is available below the screenshot.

    A ThousandEyes logo, sized to fit with Google Apps:

    Right-click on the image above to save it to your local storage, then upload to Google Apps with the Choose File button.

  • Enter the required ThousandEyes Service Provider details:

  • Skip the optional Attribute Mapping, and click Finish:

    • Log in to ThousandEyes as a user with a role that has the Edit security & authentication settings permission.

    • Go to the Security & Authentication tab of the Account Settings page.

    • In the Setup Single Sign-On section:

      • Check the Enable Single Sign-On box.

      • Enter the Login Page URL (SSO URL from previous section - step 7).

      • Enter a Logout Page URL (Optional).

      • Enter the Identity Provider Issuer (Entity ID from the previous section - step 7).

      • Enter the Service Provider Issuer (SP Entity ID from previous section - step 9; do not use the Entity ID from step 7).

      • Click the Choose File button to upload the verification certificate (certificate downloaded from the previous section - step 7).

    • Click Save.

    • Click Run Single Sign-On Test to verify that the single sign-on works as expected.

    • Log in to ThousandEyes using an account with a role that has the Edit security & authentication settings permission.

    • Go to the Security & Authentication tab of the Account Settings page.

    • Check the Enable Single Sign-On box.

    • Click the Imported Metadata Configuration button.

    • Click the Import File button and upload the IDP Metadata File downloaded at Step 7 of the Identity Provider configuration section. The configuration section should populate with the SSO parameters (see screenshot below).

    • Click the Save button.

    • Click Run Single Sign-On Test to verify that the single sign-on works as expected.

Logging in Using SSO

  1. To log in to ThousandEyes, go to https://app.thousandeyes.com and click the SSO link.

  2. Input the SSO-enabled email address, and click Log In.

  3. When the Google authorization page appears, enter your email and password, and click Sign On.

    You should automatically log in to ThousandEyes.

Returning to Standard (non-SSO) Login Page

If your organization discontinues use of SSO at any time, you can return to the login page, by using this special login:

https://app.thousandeyes.com/login?breakSso

This will return you to the normal, non-SSO login page.

Required Permissions

The following information describes the permissions required in ThousandEyes in order to configure or use single sign-on. For more information on configuring roles and permissions, see the ThousandEyes Knowledge Base article Role-Based Access Control, Explained.

Configuration

In order to configure single sign-on in ThousandEyes, a user in a role with the Edit security & authentication settings permission is required, as described above.

User Permissions

For a user to log in using single sign-on, they must be assigned a role with the Login via Single Sign-On permission. To restrict users to log in only via SSO, remove the Login via ThousandEyes login page permission. Note that for users with management permissions, it is not possible to remove the Login via ThousandEyes login page permission. This feature ensures that administrators cannot be prevented from logging in when they have issues with an identity provider.