How to Configure Single Sign-On with miniOrange

For the security of your SaaS-based infrastructure and the convenience of users in your organization, the ThousandEyes service offers login via single sign-on (SSO). ThousandEyes supports SAML2-based identity providers for single sign-on. There are two steps to set up single sign-on: the service provider configuration, which is done within ThousandEyes, and the identity provider configuration, done within your SSO system. In this configuration example, we use miniOrange as the identity provider.

Prerequisites

Configuration is normally simple. Here's what you need:
  • ThousandEyes account assigned a role with the Edit security & authentication settings permission
  • A SAML2 authentication provider (in this example, miniOrange)

ThousandEyes Configuration

Follow these steps to configure your ThousandEyes organization to use single sign-on:
  1. 1.
    Log into ThousandEyes using an account with a role that has the Edit security & authentication settings permission
  2. 2.
    Open the Settings > Accounts page and click the Security & Authentication tab
  3. 3.
    Check the Enable Single Sign-On box
  4. 4.
    Configure the Setup Single Sign-On fields according to the following settings
    Login Page URL
    Logout Page URL
    https://auth.miniorange.com/moas/idp/samlsso (optional; see note below)
    Identity Provider Issuer
    Service Provider Issuer
    Verification Certificate
    see the Download certificate section, below
IMPORTANT: Ensure that the Service Provider Issuer field reflects the value set by the identity provider in the AudienceRestriction element of the SAML response. Any mismatch, including a protocol mismatch (http:// vs https://) will cause the request to be rejected.
NOTE: The Logout Page URL is optional. If used, the URL should point to the page you wish your users to see when logging out of ThousandEyes.

Identity Provider Configuration

Download Certificate

  1. 1.
    Log in to the MiniOrange Admin Console, and go to the View Policy tab of the Policies > App Authentication Policy page
  2. 2.
    Download the verification certificate by clicking on the link, as indicated below
  3. 3.
    Log in to ThousandEyes and go to the Security & Authentication tab of the Settings > Account page
  4. 4.
    In the Setup Single Sign-On section, click the Browse button to select and upload the certificate
  5. 5.
    Click the Save button to save the settings

Create a Policy for ThousandEyes

  1. 1.
    Log in to the miniOrange Admin Console, and go to Add Policy tab of the Policies > App Authentication Policy page
  2. 2.
    Add a new policy for ThousandEyes according to the following settings:
    Application
    Custom App
    ACS URL
    Group Name
    DEFAULT
    Policy Name
    ThousandEyes
    First Factor Type
    PASSWORD
    Enable Second Factor
    checked
  3. 3.
    Click the Save button button to save the settings

Add Users to miniOrange

  1. 1.
    Log in to the miniOrange Admin Console, and go to the Users > End User List page
  2. 2.
    Click the New User button
  3. 3.
    Fill in the fields with the user's information
  4. 4.
    Click the Save button button to save the settings

Register Users in miniOrange

  1. 1.
    Log in to the miniOrange Admin Console, and go to the Users > Onboarding Status page
  2. 2.
    From Users menu, select Onboarding Status, then select users to send activation mail
  3. 3.
    Click on the Send Activation Mail button to send an activation email to the selected users

Logging in Using SSO

  1. 1.
    To log in to ThousandEyes, go to https://app.thousandeyes.com and click the SSO link
  2. 2.
    Enter the SSO-enabled email address, and click the Log In link
  3. 3.
    When the miniOrange authorization page appears, click the Login button
Alternatively, users can access the ThousandEyes application through the user's miniOrange dashboard. After logging in to a user's miniOrange account, a button named ThousandEyes should be available to provide access to ThousandEyes.

Connection Details for Troubleshooting

If your single sign-on login fails, verify that certain SAML settings are configured as below:
    • Request Compression: Yes
    • Assertion: Unsigned
    • Response: Signed
    • AuthnContextClassRef: PasswordProtectedTransport
    • AudienceRestriction: http://www.thousandeyes.com
      Note: The AudienceRestriction element generated by your identity provider's configuration must match exactly the value set for the Service Provider Issuer field in ThousandEyes. Any mismatch, including a protocol mismatch (http vs https) will cause the request to be rejected.
    • NameID Format: emailAddress
    • Role: User
    • AssertionConsumerServiceURL: https://app.thousandeyes.com/login/sso/acs