How to Configure Single Sign-On with Google Workspace
For the security of your SaaS-based infrastructure and the convenience of users in your organization, the ThousandEyes service offers login via single sign-on (SSO). ThousandEyes supports SAML2-based identity providers (IdPs) for single sign-on. In this configuration example, we use Google Workspace (formerly Google Apps) as the identity provider.
There are two steps to set up single sign-on:
- 1.Identity provider configuration, which is done within your identity provider's system (in this case, Google)
- 2.Service provider configuration, which is done within ThousandEyes using one of the following options:
- Static Configuration: Requires manual settings of the parameters.
- Imported Metadata Configuration: A metadata file is used to configure the parameters (recommended method).
- Dynamic Configuration: A URL is used to configure the parameters (not yet supported by Google Workspace SAML)
Here's what you need to configure single sign-on:
- A user in a role with the Edit security & authentication settings permission in ThousandEyes.
- A Google Workspace administrator account.
- 1.Log in to Google Workspace using an administrator account.
- 2.
- 3.Click Apps (Manage apps and their settings).
- 4.Click SAML apps.
- 5.Click the + icon to configure a new SAML application.
- 6.Click SETUP MY OWN CUSTOM APP.
- 7.Obtain the Google identity provider information for configuration in ThousandEyes.Option 1 is used for static configuration of the Service Provider. Copy and paste the SSO URL and IdP Entity ID values into a separate document, and download the certificate. Then click Next.OrOption 2 is used for imported metadata configuration of the Service Provider. Download the IDP Metadata file. Then click Next.
Enable the ThousandEyes application for all users by clicking the More Options menu (three vertical dots) and selecting ON for everyone.
- 1.Log in to ThousandEyes as a user having a role with the Edit security & authentication settings permission.
- 2.
- 3.In the Setup Single Sign-On section:
- Check the Enable Single Sign-On box.
- Enter the Login Page URL (SSO URL from previous section - step 7).
- Enter a Logout Page URL (Optional).
- Enter the Identity Provider Issuer (Entity ID from the previous section - step 7).
- Enter the Service Provider Issuer (SP Entity ID from the previous section - step 9; do not use the Entity ID from step 7).
- Click the Choose File button to upload the verification certificate (certificate downloaded from the previous section).
- 4.Click Save.
- 5.Click Run Single Sign-On Test to verify that the single sign-on works as expected.
Follow these steps to configure your ThousandEyes organization to use single sign-on:
- Enter the ThousandEyes application information that will be visible with the user's Google environment.Description and Upload logo are both optional. A pre-sized logo is available below the screenshot.
A ThousandEyes logo, sized to fit with Google Apps:
Right-click on the image above to save it to your local storage, then upload to Google Apps with the Choose File button. - Enter the required ThousandEyes Service Provider details:
- Skip the optional Attribute Mapping, and click Finish:
- Log in to ThousandEyes as a user with a role that has the Edit security & authentication settings permission.
- In the Setup Single Sign-On section:
- Check the Enable Single Sign-On box.
- Enter the Login Page URL (SSO URL from previous section - step 7).
- Enter a Logout Page URL (Optional).
- Enter the Identity Provider Issuer (Entity ID from the previous section - step 7).
- Enter the Service Provider Issuer (SP Entity ID from previous section - step 9; do not use the Entity ID from step 7).
- Click the Choose File button to upload the verification certificate (certificate downloaded from the previous section - step 7).
- Click Save.
- Click Run Single Sign-On Test to verify that the single sign-on works as expected.
- Log in to ThousandEyes using an account with a role that has the Edit security & authentication settings permission.
- Check the Enable Single Sign-On box.
- Click the Imported Metadata Configuration button.
- Click the Import File button and upload the IDP Metadata File downloaded at Step 7 of the Identity Provider configuration section. The configuration section should populate with the SSO parameters (see screenshot below).
- Click the Save button.
- Click Run Single Sign-On Test to verify that the single sign-on works as expected.
- 1.
- 2.Input the SSO-enabled email address, and click Log In.
- 3.When the Google authorization page appears, enter your email and password, and click Sign On. You should automatically log in to ThousandEyes.
If your organization discontinues use of SSO at any time, you can return to the login page, by using this special login:
This will return you to the normal, non-SSO login page.
The following information describes the permissions required in ThousandEyes in order to configure or use single sign-on. For more information on configuring roles and permissions, see Role-Based Access Control, Explained.
In order to configure single sign-on in ThousandEyes, a user in a role with the Edit security & authentication settings permission is required, as described above.
For a user to log in using single sign-on, they must be assigned a role with the Login via Single Sign-On permission. To restrict users to log in only via SSO, remove the Login via ThousandEyes login page permission. Note that for users with management permissions, it is not possible to remove the Login via ThousandEyes login page permission. This feature ensures that administrators cannot be prevented from logging in when they have issues with an identity provider.