How to Configure Single Sign-On (SSO): Metadata
For the security of your SaaS-based infrastructure and the convenience of users in your organization, ThousandEyes offers login via single sign-on (SSO). ThousandEyes supports SAML 2.0-based SSO.

ThousandEyes-Side Configuration

Within ThousandEyes, SSO configuration is done in the Security & Authentication section under the Organization tab of Account Settings. The following information from your Identity Provider (IdP) must be supplied to ThousandEyes in order to get SSO working:
  • Login URL for your SAML provider
  • Logout URL for your SAML provider (optional)
  • Identity Provider Issuer
  • Service Provider Issuer
  • Verification certificate(s).
There are three methods to set these options:
  • Static Configuration
    • Each parameter needs to be supplied manually, including verification certificate(s).
  • Imported Metadata Configuration
    • ThousandEyes will parse a user-supplied metadata XML file and load the parameters.
  • Dynamic Configuration
    • ThousandEyes will parse a metadata file from a provided URL on demand (for each user login).

Identity Provider-Side Configuration

If XML metadata loading is supported by your Identity Provider, you can use our Service Provider (SP) metadata file available at the following URL: https://app.thousandeyes.com/saml-metadata
Alternatively, manual configuration of your Identity Provider can be performed. The following information lists the characteristics of ThousandEyes as a SAML Service Provider:
  • ThousandEyes supports both Service-Provider-initiated (i.e., ThousandEyes login page initiated) and Identity-Provider-Initiated (i.e., clicking a link from inside the customer portal) based logins
  • ThousandEyes post-back URL: https://app.thousandeyes.com/login/sso/acs
  • SAML Assertion NameID (unspecified or emailAddress format): Email address of user to be authenticated (must be already registered in ThousandEyes).
    • If a valid email address (as registered in ThousandEyes) is not found in the NameID field, the assertion will be parsed for additional name claims.
  • Connection details:
    • Request Compression: Yes
    • Assertion: Unsigned
    • Response: Signed
    • Destination: https://app.thousandeyes.com
    • AuthnContextClassRef: PasswordProtectedTransport
    • Audience Restriction: https://app.thousandeyes.com
      Note: When using static configuration, the Audience Restriction configured in your Identity Provider's configuration must exactly match the value set for the Service Provider Issuer field in ThousandEyes. Any mismatch, including a protocol mismatch (http:// vs https://) and trailing slashes will cause the request to be rejected. When using dynamic or imported metadata configurations, make sure you configure your IdP to use https://app.thousandeyes.com as the Audience Restriction.
    • AssertionConsumerService URL: https://app.thousandeyes.com/login/sso/acs
If your Identity Provider requires an unexpired certificate, contact ThousandEyes Support for a workaround that can provide you with an alternate metadata file.

Key Points in ThousandEyes Assertion Validation

  • ThousandEyes parses the email (our primary identifier of users) on the SamlResponse created by your Identity Provider. We require that you configure your IdP to supply a registered user's email address in one of the following attributes of the assertion (failure to find a registered email address in any of these attributes will break the SSO process):
    • NameID in the format "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”
    • NameID in the format "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
    • Attribute "emailaddress"
    • Attribute "name"
    • Attribute "Email"
  • Make sure that at least one of the uploaded verification certificates corresponds to the private key that signs the SamlResponse assertion.
  • Verify that the AudienceRestriction configured in your IDP is an exact match of the service provider issuer string within ThousandEyes SSO configuration.

Vendor-Specific Configurations

ThousandEyes supports the use of any SAML 2.0-based identity provider for single-sign on.