How to Configure Single Sign-On (SSO): Metadata

For the security of your SaaS-based infrastructure and the convenience of users in your organization, ThousandEyes offers login via single sign-on (SSO). ThousandEyes supports SAML 2.0-based SSO.

ThousandEyes-Side Configuration

Within ThousandEyes, SSO configuration is done in the Account Settings > Organization Settings > Security and Authentication tab. To get SSO working, you'll need the following information from your Identity Provider (IdP):
  • Login URL for your SAML provider
  • Logout URL for your SAML provider (optional)
  • Identity Provider Issuer
  • Service Provider Issuer
  • Verification certificate(s)
There are three methods to set these options:
  • Static Configuration
    • Each parameter must be supplied manually, including verification certificate(s).
  • Imported Metadata Configuration
    • ThousandEyes will parse a user-supplied metadata XML file and load the parameters.
  • Dynamic Configuration
    • ThousandEyes will parse a metadata file from a provided URL on demand (for each user login).

Identity Provider-Side Configuration

If your Identity Provider supports XML metadata loading, you can use our Service Provider (SP) metadata file available at the following URL:
Alternatively, you can opt for manual configuration of your Identity Provider. The following information lists the characteristics of ThousandEyes as a SAML Service Provider:
  • ThousandEyes supports both Service-Provider-initiated (i.e., ThousandEyes login page initiated) and Identity-Provider-Initiated (i.e., clicking a link from inside the customer portal) based logins
  • ThousandEyes post-back URL:
  • SAML Assertion NameID (unspecified or emailAddress format): The email address of the user to be authenticated (must be already a registered user in the ThousandEyes platform).
    • If a valid email address (as registered in ThousandEyes) is not found in the NameID field, the assertion will be parsed for additional name claims.
  • Connection details:
    • Request Compression: Yes
    • Assertion: Unsigned
    • Response: Signed
    • Destination:
    • AuthnContextClassRef: PasswordProtectedTransport
    • Audience Restriction:
      Note: When using static configuration, the Audience Restriction configured in your Identity Provider's configuration must exactly match the value set for the Service Provider Issuer field in ThousandEyes. Any mismatch, including a protocol mismatch (http:// vs https://) and trailing slashes will cause the request to be rejected. When using dynamic or imported metadata configurations, make sure you configure your IdP to use as the Audience Restriction.
    • AssertionConsumerService URL:

Key Points in ThousandEyes Assertion Validation

  • ThousandEyes parses the email (our primary identifier of users) on the SamlResponse created by your Identity Provider. We require that you configure your IdP to supply a registered user's email address in one of the following attributes of the assertion (failure to find a registered email address in any of these attributes will break the SSO process):
    • NameID in the format "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”
    • NameID in the format "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
    • Attribute "emailaddress"
    • Attribute "name"
    • Attribute "Email"
  • Make sure that at least one of the uploaded verification certificates corresponds to the private key that signs the SamlResponse assertion.
  • Verify that the AudienceRestriction configured in your IDP is an exact match of the service provider issuer string within ThousandEyes SSO configuration.

Vendor-Specific Configurations

ThousandEyes supports the use of any SAML 2.0-based identity provider for single sign-on.