ThousandEyes Documentation
Search…
ThousandEyes Documentation
What's New
Changelog
Product Documentation
Getting Started
Global Vantage Points
Internet and WAN Monitoring
Browser Synthetics
End-User Monitoring
Internet Insights
Alerts
Dashboards and Reports
Outage Detection
Device Layer
Account Management
Role-Based Access Control
Single Sign-On (SSO)
How to Configure Single Sign-On with PingOne
How to Configure Single Sign-On (SSO): Metadata
How to Configure Single Sign-On with Azure Active Directory
How to Configure Single Sign-On with Google G Suite
How to Configure Single Sign-On with Okta
How to Configure Single Sign-On with Active Directory Federation Services (ADFS)
How to Configure Single Sign-On with OneLogin
How to Configure Single Sign-On with miniOrange
Account Groups
Usage and Billing
Integration Guides
API
Privacy-Related
Archived Documentation
Archived Release Notes
2021
2020
2019
2018
2017
2016
2015
2014
2013
2012
How to Configure Single Sign-On (SSO): Metadata
For the security of your SaaS-based infrastructure and the convenience of users in your organization, ThousandEyes offers login via single sign-on (SSO). ThousandEyes supports SAML 2.0-based SSO.

ThousandEyes-Side Configuration

Within ThousandEyes, SSO configuration is done in the Security & Authentication section under the Organization tab of Account Settings. The following information from your Identity Provider (IdP) must be supplied to ThousandEyes in order to get SSO working:
    Login URL for your SAML provider
    Logout URL for your SAML provider (optional)
    Identity Provider Issuer
    Service Provider Issuer
    Verification certificate(s).
There are three methods to set these options:
    Static Configuration
      Each parameter needs to be supplied manually, including verification certificate(s).
    Imported Metadata Configuration
      ThousandEyes will parse a user-supplied metadata XML file and load the parameters.
    Dynamic Configuration
      ThousandEyes will parse a metadata file from a provided URL on demand (for each user login).

Identity Provider-Side Configuration

If XML metadata loading is supported by your Identity Provider, you can use our Service Provider (SP) metadata file available at the following URL: https://app.thousandeyes.com/saml-metadata
Alternatively, manual configuration of your Identity Provider can be performed. The following information lists the characteristics of ThousandEyes as a SAML Service Provider:
    ThousandEyes supports both Service-Provider-initiated (i.e. ThousandEyes login page initiated) and Identity-Provider-Initiated (i.e. clicking a link from inside the customer portal) based logins
    ThousandEyes post-back URL: https://app.thousandeyes.com/login/sso/acs
    SAML Assertion NameID (unspecified or emailAddress format): Email address of user to be authenticated (must be already registered in ThousandEyes).
      If a valid email address (as registered in ThousandEyes) is not found in the NameID field, the assertion will be parsed for additional name claims.
    Connection details:
      Request Compression: Yes
      Assertion: Unsigned
      Response: Signed
      Destination: https://app.thousandeyes.com
      AuthnContextClassRef: PasswordProtectedTransport
      Audience Restriction: https://app.thousandeyes.com
      Note: When using static configuration, the Audience Restriction configured in your Identity Provider's configuration must exactly match the value set for the Service Provider Issuer field in ThousandEyes. Any mismatch, including a protocol mismatch (http:// vs https://) and trailing slashes will cause the request to be rejected. When using dynamic or imported metadata configurations, make sure you configure your IdP to use https://app.thousandeyes.com as the Audience Restriction.
      Recipient: https://app.thousandeyes.com
      AssertionConsumerService URL: https://app.thousandeyes.com/login/sso/acs

Key Points in ThousandEyes Assertion Validation

    ThousandEyes parses the email (our primary identifier of users) on the SamlResponse created by your Identity Provider. We require that you configure your IdP to supply a registered user's email address in one of the following attributes of the assertion (failure to find a registered email address in any of these attributes will break the SSO process):
      NameID in the format "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”
      NameID in the format "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
      Attribute "emailaddress"
      Attribute "name"
      Attribute "Email"
    Make sure that at least one of the uploaded verification certificates corresponds to the private key that signs the SamlResponse assertion.
    Verify that the AudienceRestriction configured in your IDP is an exact match of the service provider issuer string within ThousandEyes SSO configuration.

Vendor-Specific Configurations

ThousandEyes supports the use of any SAML 2.0-based identity provider for single-sign on.
Previous
How to Configure Single Sign-On with PingOne
Next
How to Configure Single Sign-On with Azure Active Directory
Last modified 2mo ago
Copy link
Contents
ThousandEyes-Side Configuration
Identity Provider-Side Configuration
Key Points in ThousandEyes Assertion Validation
Vendor-Specific Configurations