How to Configure Single Sign-On with Google G Suite
For the security of your SaaS-based infrastructure and the convenience of users in your organization, the ThousandEyes service offers login via single sign-on (SSO). ThousandEyes supports SAML2-based identity providers (IdPs) for single sign-on. In this configuration example, we use Google's G Suite (formerly Google Apps) as the identity provider.
There are two steps to set up single sign-on:
Identity provider configuration, which is done within your identity provider's system (in this case, Google)
Service provider configuration, which is done within ThousandEyes using one of the following options:
Static Configuration: Requires manual settings of the parameters.
Imported Metadata Configuration: A metadata file is used to configure the parameters (recommended method).
Dynamic Configuration: A URL is used to configure the parameters (not yet supported by G Suite SAML)
Here's what you need to configure single sign-on:
A user in a role with the Edit security & authentication settings permission in ThousandEyes.
Click the Import File button and upload the IDP Metadata File downloaded at Step 7 of the Identity Provider configuration section. The configuration section should populate with the SSO parameters (see screenshot below).
Click the Save button.
Click Run Single Sign-On Test to verify that the single sign-on works as expected.
This will return you to the normal, non-SSO login page.
The following information describes the permissions required in ThousandEyes in order to configure or use single sign-on. For more information on configuring roles and permissions, see Role-Based Access Control, Explained.
In order to configure single sign-on in ThousandEyes, a user in a role with the Edit security & authentication settings permission is required, as described above.
For a user to log in using single sign-on, they must be assigned a role with the Login via Single Sign-On permission. To restrict users to log in only via SSO, remove the Login via ThousandEyes login page permission. Note that for users with management permissions, it is not possible to remove the Login via ThousandEyes login page permission. This feature ensures that administrators cannot be prevented from logging in when they have issues with an identity provider.