How to Configure Single Sign-On (SSO): Metadata
Within ThousandEyes, SSO configuration is done in the Account Settings > Organization Settings > Security and Authentication tab. To get SSO working, you'll need the following information from your Identity Provider (IdP):
- Login URL for your SAML provider
- Logout URL for your SAML provider (optional)
- Identity Provider Issuer
- Service Provider Issuer
- Verification certificate(s)
There are three methods to set these options:
- Static Configuration
- Each parameter must be supplied manually, including verification certificate(s).
- Imported Metadata Configuration
- ThousandEyes will parse a user-supplied metadata XML file and load the parameters.
- Dynamic Configuration
- ThousandEyes will parse a metadata file from a provided URL on demand (for each user login).
Alternatively, you can opt for manual configuration of your Identity Provider. The following information lists the characteristics of ThousandEyes as a SAML Service Provider:
- ThousandEyes supports both Service-Provider-initiated (i.e., ThousandEyes login page initiated) and Identity-Provider-Initiated (i.e., clicking a link from inside the customer portal) based logins
- SAML Assertion NameID (unspecified or emailAddress format): The email address of the user to be authenticated (must be already a registered user in the ThousandEyes platform).
- If a valid email address (as registered in ThousandEyes) is not found in the NameID field, the assertion will be parsed for additional name claims.
- Connection details:
- Request Compression: Yes
- Assertion: Unsigned
- Response: Signed
- Destination: https://app.thousandeyes.com
- AuthnContextClassRef: PasswordProtectedTransport
- Audience Restriction: https://app.thousandeyes.comNote: When using static configuration, the Audience Restriction configured in your Identity Provider's configuration must exactly match the value set for the Service Provider Issuer field in ThousandEyes. Any mismatch, including a protocol mismatch (http:// vs https://) and trailing slashes will cause the request to be rejected. When using dynamic or imported metadata configurations, make sure you configure your IdP to use https://app.thousandeyes.com as the Audience Restriction.
- ThousandEyes parses the email (our primary identifier of users) on the SamlResponse created by your Identity Provider. We require that you configure your IdP to supply a registered user's email address in one of the following attributes of the assertion (failure to find a registered email address in any of these attributes will break the SSO process):
- NameID in the format "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”
- NameID in the format "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
- Attribute "emailaddress"
- Attribute "name"
- Attribute "Email"
- Make sure that at least one of the uploaded verification certificates corresponds to the private key that signs the SamlResponse assertion.
- Verify that the AudienceRestriction configured in your IDP is an exact match of the service provider issuer string within ThousandEyes SSO configuration.
ThousandEyes supports the use of any SAML 2.0-based identity provider for single sign-on.