ThousandEyes Documentation
  • ThousandEyes Documentation
  • What's New
    • Changelog
    • Naming and Navigation Menu Changes - Summary List
  • Product Documentation
    • Getting Started
      • Getting Started with Account Setup
      • Getting Started with Cloud and Enterprise Agents
      • Getting Started with Cloud and Enterprise Agent Tests
      • Getting Started with Endpoint Agents
      • Getting Started with Transactions
      • Getting Started with Dashboards
      • Getting Started with Alerts
      • Getting Started with Internet Insights
      • Getting Started with the ThousandEyes API
      • Getting Started with API Tests
      • Getting Support from ThousandEyes
      • Notification of Upgrades, Maintenance and Outages
      • New User FAQ
      • ThousandEyes Glossary
    • Global Vantage Points
      • Cloud Agents
        • Where Are Cloud Agents Available?
        • Webex Cloud Agents
        • AWS Wavelength Cloud Agents
        • Cloud Agent with Local Problems
      • Enterprise Agents
        • Getting Started
          • Where Can I Get the Account Group Token?
        • Installing
          • Enterprise Agent System Requirements
            • Enterprise Agent Support Lifecycle
          • Appliances
            • How to Set Up the Virtual Appliance
            • Enterprise Agents: Hypervisor Installation
            • Installing Enterprise Agent on VirtualBox
            • Enterprise Agent Deployment Using ThousandEyes Virtual Appliance (Hyper-V)
            • Enterprise Agent Deployment Using ThousandEyes Virtual Appliance (OVA)
            • Custom Virtual Appliances
            • Installing a Physical Appliance
            • Installing an Enterprise Agent on a Raspberry Pi Device
          • Cisco Devices
            • Catalyst Switching
            • Catalyst Routing
            • Nexus Switching
            • Service Routing
            • Meraki MX Appliances
            • Cisco Enterprise NFV Infrastructure Software
            • Installation Methods
              • Installing Enterprise Agents on Cisco Nexus Switches with Application Hosting
              • Installing Enterprise Agents on Cisco Nexus Switches with Guestshell
              • Installing Enterprise Agents on Cisco Routers using SD-WAN Manager Feature Templates
              • Installing Enterprise Agents on Cisco Routers using the SD-WAN Manager ThousandEyes Workflow
              • Installing Enterprise Agents on Cisco Switches with Docker
              • Installing Enterprise Agents on Cisco Routers with Docker
              • Installing Enterprise Agents on Cisco Switches with the DNA Center
          • Linux Packages
            • Enterprise Agent Deployment Using Linux Package Method
            • Installing the Enterprise Agent with BrowserBot on Oracle Linux Server 7
          • Docker Agents
            • Installing Enterprise Agents with Docker
          • Cloud Templates
            • Installing Enterprise Agents with Microsoft Azure
          • Docker Agent Configuration Options
          • Missing Dependencies for Enterprise Agent on Redhat Enterprise Linux RHEL 7 Installation
          • Migrating ThousandEyes Appliance or Package-Based Enterprise Agent to Docker
        • Configuring
          • Password Reset on the Virtual Appliance
          • Configuring rDNS Lookups for Enterprise Agents
          • Connecting to the ThousandEyes Virtual Appliance Using SSH (Mac/Linux)
          • Connecting to the ThousandEyes Virtual Appliance Using SSH (Windows)
          • Static IP Addresses for ThousandEyes Repositories
          • Firewall Configuration for Enterprise Agents
          • Enterprise Agent Port Forwarding
          • Security Policy and Public NTP Servers on Enterprise Agents
          • Secure Access to ThousandEyes Appliances
          • Disabling the Web Server of a Virtual Appliance
          • NAT Traversal for Agent-to-Agent Tests
          • Enterprise Agent on Docker Advanced Networking
        • Managing
          • Cisco Devices
            • Disable, Restart, or Uninstall the Enterprise Agent via DCNM
          • Docker Agents
            • Add/Remove BrowserBot from Existing Docker Enterprise Agents
          • Upgrading Operating Systems for Enterprise Agents
          • Backup and Restore Your Enterprise Agent Configuration
          • Upgrade Ubuntu 20.04 Focal-Based ThousandEyes Appliances
          • Crash Reporting for Enterprise Agents
          • Configuring a Local Mirror of the ThousandEyes Package Repository
          • Resetting an Enterprise Agent
          • Working with Enterprise Agent Clusters
          • Replacing an Enterprise Agent Using the Agent Clustering Method
          • Replacing an Enterprise Agent Using Agent Identity Files
          • Unlocking the ThousandEyes Appliance
          • Uninstalling the Enterprise Agent (Linux Package)
        • Proxy Environments
          • Installing Enterprise Agents in Proxy Environments
          • Configuring an Enterprise Agent to Use a Proxy Server
          • Writing and Testing Proxy Auto-Configuration (PAC) Files
        • Troubleshooting
          • How to Generate Packet Captures
          • Troubleshooting Automatic-Update Problems on Enterprise Agents
          • Troubleshooting Time Synchronization on Enterprise Agents
          • Installing CA Certificates on Enterprise Agents
          • Agent Unable to Trace Path to Destination?
          • BrowserBot Installation Fails on Red Hat or CentOS in Amazon EC2
          • What to Do If te-agent Stops Running Due to a VACUUM Error
        • Enterprise Agents: What Information Do We Collect?
        • What Is BrowserBot?
        • Upgrading to BrowserBot 2
        • Upgrading to BrowserBot 2.6+ (Chromium 97)
        • Enterprise Agent Utilization
        • Network Utilization from Enterprise Agent Test Traffic
        • Enterprise Agent Interface Selection
        • ThousandEyes Product Lifecycle Policy
      • Endpoint Agents
        • Installing
          • System Requirements
          • Download the Endpoint Agent Installer
          • Install the Endpoint Agent
          • Reinstall the Endpoint Agent
          • Install the Endpoint Agent Browser Extension
          • Install Endpoint Agents for Windows via Group Policy
          • Installing Browser Extensions for Windows via Group Policy
          • Guidance for Windows Software Deployment Teams
          • Install Endpoint Agents for macOS using Munki and the Managed Software Center
          • Deploy an MSI package to Intune for Windows Devices
          • Endpoint Agent Installation on Cisco Webex Devices (RoomOS)
          • Endpoint Agent Installation on Cisco Phone Devices (PhoneOS)
          • Uninstall or Delete an Endpoint Agent
          • Endpoint Agent Installation Reference
          • NPCAP Driver Upgrade Management
        • Configuring
          • Configure Endpoint Agent Labels
          • Endpoint Agent Proxy Configuration for Scheduled Tests
        • Managing
          • Manage Endpoint Agent Settings
        • How Does the Endpoint Agent Work
        • Cisco Secure Client ThousandEyes Endpoint Agent Module
        • Endpoint Agent Licensing
        • Assigning tests to an Endpoint Agent
        • Data Collected by Endpoint Agent
        • Reporting on data collected by Endpoint Agent
        • Endpoint Agent VPN Support
        • Endpoint Agent TCP Support
        • Endpoint Agent End-user Experience
        • Endpoint Agent FAQ
      • Working with Agent Settings
      • Obtaining a list of ThousandEyes Agent IP Addresses with te-iplist
    • Tests
      • HTTP Server Tests
        • Collecting Proxy Metrics
        • POSIX Extended Regular Expression Syntax (Quick Reference)
        • POSIX Extended Regular Expression Syntax
        • Custom User-Agent Strings in a Web Test
        • Two-Step HTTP Testing (OAuth)
      • Web-Layer Tests
      • Network Tests
        • Network Tests Explained
        • Agent-to-Agent Test Overview
        • DSCP Options in Network Tests
      • DNS Tests
      • Voice Tests
        • Using the SIP Server View
        • Using the RTP Stream View
      • BGP Tests
        • Inside-Out BGP Visibility
        • Using the BGP Route Visualization View
        • Using the BGP Updates Table
        • Working with Raw BGP Data
        • Reasons for Failure of Private Peering with ThousandEyes
        • RPKI
      • API Tests
        • Using the API Test Step Builder
      • Templates
        • User-defined Templates
      • Recommendations
        • Associated Service Recommendations
        • AWS Test Recommendations
      • ThousandEyes Metrics: What Do Your Results Mean?
      • Sharing Test Data
      • Working with Test Settings
      • Scheduled Versus Instant Tests
      • Working with Instant Tests
      • Working with Labels for Agent and Test Groups
      • Multi-Service Views
      • Identifying Traffic from ThousandEyes Agents
      • Excluding ThousandEyes Agents from Google Analytics
    • Internet and WAN Monitoring
      • Path Visualization
        • How Path Trace Works
        • MPLS Tunnel Inference Using Deep Path Analysis
        • Troubleshooting
          • Reasons for Missing Information on the Visualization View
          • Virtual Machine with NAT Breaks Path Visualization
          • Cisco ASA Breaks Path Visualization
          • Path Visualization: Edge Firewall Incorrectly Shows a Single Hop to the Destination
          • Network Overview Shows Packet Loss That Does Not Appear in Path Visualization
      • Views
        • Using the Network Overview
        • Using the FTP Server View
        • Using the HTTP Server View
        • Using the DNS Server View
        • Using the DNS Domain Trace View
        • Using the DNSSEC Trace View
        • Using the API Test Views
      • Troubleshooting
        • CLI Network Troubleshooting Utilities
        • HTTP Server Test Fails with SSL Error
        • HTTP Server Test Fails with SSL Error: OpenSSL SSL_connect: SSL_ERROR_SYSCALL
        • HTTP Server Test Error "dh Key Too Small"
    • Browser Synthetics
      • Browser Synthetics Test Types
      • Browser Synthetics Disambiguation
      • Test Settings for Page Load and Transaction Tests
      • Navigating Waterfall Charts for Page Load and Transaction Tests
      • Using Round Robin Test Scheduling
      • What Information Is Transmitted in a Page Load or Transaction Test?
      • Transaction Test SSO Support
        • Implementing SSO in Transaction Scripts
        • Caveats for NTLM/Kerberos Authentication
        • TOTP Examples for SSO
      • Page Load Tests
        • When to Use a Page Load Test
        • Creating a Page Load Test
        • Using the Page Load View
        • How to Generate a HAR File
        • Migrating to Single Interval for Page Load Tests
        • Creating a Page Load Test that Uses SSO
      • Transaction Tests
        • Getting Started With Transaction Tests
          • When to Use a Transaction Test
          • Transaction Tests Compared With Other Test Types
          • ThousandEyes Recorder
          • ThousandEyes Recorder Permissions
          • Working With Web Development Tools
          • Working With Secure Credentials
          • Transaction Test Table Tab View
          • Transaction Metrics on Alerts and Dashboards
          • Screenshots in Transaction Test Views
        • Transaction Test Development Guide
          • Creating Robust Transaction Scripts
            • Optimizing and Troubleshooting Transaction Scripts
            • Transaction Scripting Tips and Tricks
          • Transactions – Executing Custom JavaScript Code
        • Use Cases | Code Examples
          • Uploading or Downloading Files in a Script
            • Transaction Scripting Examples for File Downloads
          • Include API Calls in a Transaction Test
            • Using the node-fetch module
            • Using the net module
            • Using the tls module
        • Transaction Scripting Reference
      • Dual Chromium Option
        • Why Are Regular Chromium Upgrades Needed?
        • Configuring Dual Chromium
        • Working With Dual Chromium
        • Chromium Update History
        • Chromium Upgrade Known Issues
    • Endpoint Experience
      • Test Settings
        • Monitoring an Application using Synthetic Tests
        • Configuration Options for Synthetic Tests
        • Managing Synthetic Tests
        • Real User Tests
      • Viewing Data
        • Endpoint Agent Scheduled Tests View
        • Endpoint Agent Real User Tests View
        • Endpoint Agent Local Networks View
        • Endpoint Agent Dynamic Tests View
        • Endpoint Agent Views
        • Endpoint Views Reference
      • Troubleshooting
        • Step-by-Step Guide to Troubleshooting Endpoint Agent Problems
        • Troubleshooting Endpoint Agent Issues
    • Connected Devices
      • Connected Devices Tests
        • Routing
          • Traceroute
        • Network
          • Speed Tests
          • Latency, Loss, Disconnections, and Jitter Tests
          • Responsiveness (Latency under Load) Tests
        • DNS
          • DNS Resolution Tests
        • Web
          • Web Browsing Lite Tests
          • Generic Streaming (HLS/DASH) Tests
        • Voice
        • Dynamic Application Test Suites
          • Gameplay Test Suite
          • Video Conferencing Test Suite
          • Social Media Test Suite
          • Game Store Test Suite
          • Video Streaming Test Suite
            • Netflix Streaming Tests
            • YouTube Streaming Tests
            • BBC iPlayer Streaming Tests
          • Content Delivery Network (CDN) Test Suite
        • Local Network Information
          • Data Usage
      • Test Management
        • Test Triggers
          • Scheduled Tests
          • Instant Tests
        • Testing Thresholds
        • Test Targets
          • Test Server Methodology
        • Automatic Test Configuration Retrieval
      • Device Agents
        • Router Agents
          • Router Agent Device Support
        • Connected Devices Agent Release Versions
      • Usage Guides
        • Viewing Charts
        • Configuring Charts
        • Using Maps
        • Exporting Data
        • Importing Metadata
        • Managing Metadata
        • Creating Reports
        • Viewing Agents
        • Using Test Schedules
        • Accessing Your APIs
        • Using ConstantCare
      • Cisco Real Speed
    • Cloud Insights
      • Integrations
      • Views
      • Settings
    • Traffic Insights
      • Traffic Insights System Requirements
      • Traffic Insights Configuration Guide
      • Traffic Insights Views and Settings
      • Traffic Insights FPS Monitoring
    • WAN Insights
      • WAN Insights Quick Start
        • How to Activate ThousandEyes WAN Insights
        • WAN Insights Introductory Tour, Part 1
        • WAN Insights Introductory Tour, Part 2
        • WAN Insights Introductory Tour, Part 3
      • Introducing WAN Insights
        • What Is WAN Insights?
        • WAN Insights Value-Add
        • Why Use WAN Insights?
        • Using WAN Insights Together With ThousandEyes Network Assurance
        • Using WAN Insights Together with vAnalytics and vManage
        • WAN Insights Key Components
        • Enabling WAN Insights
        • Getting Support for WAN Insights
      • WAN Insights Terminology and Reference
      • WAN Insights Technical Overview
        • Application Categories
        • Sites, Routers, Paths, and Interfaces
        • Application Traffic Types
        • Estimating User Counts
        • Estimating Throughput
        • Capacity Planning
        • Understanding Quality
        • Life of a Recommendation
        • Understanding Recommendations
        • WAN Insights and ThousandEyes Alerts
      • WAN Insights User Interface
        • Logging In for the First Time
        • WAN Insights Screens and Workflows
        • Recommendations Screen
        • Recommendation Cards, Explained
        • Recommendation Details Modal
        • Endpoint-Pair Quality Comparison
        • Site Details Screen
        • Capacity Planning Screen
        • Capacity Detail Modal
        • Enter or Upload Bandwidth Data
      • Common Tasks
        • Adding Business-Critical Applications to WAN Insights
        • Email Notifications
        • Adding and Managing WAN Insights Users
        • Applying WAN Insights Recommendations
    • Internet Insights
      • Internet Insights Terminology
      • Limited Outage Map
      • Internet Insights Screens
        • Overview Screen
        • Internet Insights Service Views Screen
        • Application Outages
        • Network Outages
        • Catalog Settings Screen
      • Saving and Sharing from Internet Insights
      • Configuring Internet Insights
      • Provider Labels
      • Using Alerts and Dashboards With Internet Insights
        • My Affected Tests
        • Setting Up Alert Rules for Internet Insights
        • Using the Internet Insights Built-In Dashboard
    • Event Detection
    • Alerts
      • Creating and Editing Alert Rules
        • Global and Location Alert Conditions
        • Alert Rule Severity
        • Adaptive Alert Detection
        • Dynamic Baselines
        • Transport Layer Security (TLS) Alerts
        • Alert Rules for Devices
        • Alert Metrics Reference
      • Default Alert Rules
      • Viewing Alerts
      • Alert Clearing
        • Alert Suppression Windows
      • Alert Notifications
      • Standard Notification Methods
        • Alert Notifications via Email
        • Alert Notifications via SMS
        • Classic Webhooks for Alert Notifications
    • Dashboards
      • Using the Dashboard
      • Customizing Your Dashboard
      • Using the Dashboard Templates
      • Dashboard Widgets
      • Embedding Dashboard Widgets in External Web Sites
      • Excluding Periods of Data From a Dashboard
      • Dashboard Sharing and Snapshots
      • Dashboard Labels
      • Troubleshooting with Dashboard Drill Down
      • Tailoring Dashboards with Dashboard Filters
    • Device Layer
      • Discovering Device-Layer Devices
      • Device Discovery Results
      • Using the Device Layer View
    • Account Management
      • User Registration
        • SAML JIT Provisioning
        • ThousandEyes Support for SCIM
          • How to Configure SCIM with Azure Active Directory
          • How to Configure SCIM with Okta
      • Authorization
        • Role-Based Access Control
          • Role-Based Access, Explained
          • Built-In Roles and Permissions
        • Account Groups
          • What is an Account Group?
          • Working with Account Settings
          • Users in Multiple Organizations
          • Changing Ownership of a Test
          • Working with Time Zone Settings
        • OAuth 2.0 with ThousandEyes
          • Integrations with OAuth 2.0
        • Adding a Profile Image with Gravatar
      • Authentication
        • Logging In
        • How to Configure Single Sign-On
      • User Activity
        • Working with the Activity Log
        • ThousandEyes User Session Timeouts and Terminations
        • How Long is my Data Accessible via ThousandEyes?
        • Retaining Data Beyond the 90-Day Limit
        • Multi-Region Cloud Support
      • Usage-Based Billing
        • About Our Consumption Model
          • Device Agent Consumption Model
        • About Units
        • Test Type Layers and Units
        • Setting Quotas
        • Calculating Units
        • FAQs: Usage
      • Customer Security and Privacy Responsibilities
    • Integrations
      • Custom Webhooks
        • Using OAuth 2.0 Authentication for Your Custom Webhook
        • Webhook Variables
      • Custom Webhook Examples
        • Microsoft Teams for Alert Notifications
        • Cisco Webex for Alert Notifications
        • Google Chat for Alert Notifications
        • Event-Driven Ansible for Alert Notifications
        • Splunk Alert Notification
      • Custom-Built Integrations
        • PagerDuty for Alert Notifications
        • ServiceNow for Alert Notifications
          • Incident Management
        • Slack for Alert Notifications
        • AppDynamics for Alert Notifications
        • AppDynamics for Test Recommendations
        • AWS for Test Recommendations
        • AWS for Cloud Insights
          • AWS for Cloud Insights Using CLI
        • Meraki for Data Enrichment
        • Webex Control Hub Integration
        • Microsoft Teams Integration
        • ThousandEyes for OpenTelemetry
          • Configuring ThousandEyes for OpenTelemetry
            • Configuring ThousandEyes for OpenTelemetry Using the API
            • Configuring ThousandEyes for OpenTelemetry Using the UI
          • Configuring ThousandEyes for Splunk Cloud or Enterprise
            • Configuring ThousandEyes for Splunk Cloud or Enterprise using the API
            • Configuring ThousandEyes for Splunk Cloud or Enterprise using the UI
          • ThousandEyes for OpenTelemetry Data Model
            • ThousandEyes for OpenTelemetry Data Model v1
              • OpenTelemetry Collector Data v1 Example
            • ThousandEyes for OpenTelemetry Data Model v2
              • ThousandEyes for OpenTelemetry Data Model v2 - Metrics
                • OpenTelemetry Collector Data v2 Metrics Example
                • ThousandEyes for OpenTelemetry Data Model Metrics - Migration from v1 to v2
              • ThousandEyes for OpenTelemetry Data Model v2 - Traces
                • OpenTelemetry Collector Data v2 Traces Example
          • OpenTelemetry Collector Configuration
          • Automatic Disabling of Failing Streaming Integrations
        • Cisco ThousandEyes App for Splunk
          • Configuration
          • Inputs
          • Dashboards
          • Troubleshooting
    • Best-Practices Guides
      • Choosing the Right Test Protocol for Network & App Synthetics Tests
      • Optimizing SYN vs SACK Probing Methods to Avoid Unexplainable Packet Loss
      • Using Dashboards to Tell a Story
      • Best Practices for Implementing Account Groups
      • Monitoring Microsoft 365
      • Monitoring Microsoft Teams
      • Monitoring Salesforce
      • Monitoring Slack
      • Monitoring Webex Meetings with Endpoint Agents
      • Monitoring Webex Calling
      • Monitoring Webex Meetings with Cloud and Enterprise Agents
      • Monitoring Zoom
    • API
      • Create/Update/Delete Tests Using the ThousandEyes API
      • Obtaining a List of ThousandEyes Agent IP Addresses
      • Writing JSON to API Produces HTTP 406 Response Code
    • Privacy-Related
      • Authorized Subprocessors for ThousandEyes Network Intelligence Platform
    • Archived Documentation
      • Archived - Displaying and Alerting for Unit Consumption
      • Archived - Dependency Tree for ThousandEyes Enterprise Agent Software
      • Archived - Getting Started with ThousandEyes
      • Archived - Sending ThousandEyes Alerts to AppDynamics
      • Archived - ThousandEyes Infrastructure Changes
      • Archived - Using the Transactions (Classic) View
      • Archived - Transaction Test Migration Workflow
      • Archived - Instructions for Mitigating Meltdown and Spectre on Enterprise Agents
      • Archived - Bash (ShellShock) Security Notice
      • Archived - Endpoint Installation using Customized Installers
      • Archived - Configuring Endpoint Agent Setup
      • Archived - Creating Scheduled Tests on Endpoint Agents
      • Archived - Managing the Endpoint Agent
      • Archived - Enterprise Agent Installation on Juniper NFX Routers
      • Archived - Installing and Removing ThousandEyes X Virtual Framebuffer on Enterprise Agents
      • Archived - Permitted Content Types for Page Load Tests
  • Archived Release Notes
    • 2024
      • Release Notes: January 2024
      • Release Notes: February 2024
      • Release Notes: March 2024
      • Release Notes: April 2024
      • Release Notes: May 2024
      • Release Notes: June 2024
      • Release Notes: July 2024
      • Release Notes: August 2024
    • 2023
      • Release Notes: January 2023
      • Release Notes: February 2023
      • Release Notes: March 2023
      • Release Notes: April 2023
      • Release Notes: May 2023
      • Release Notes: June 2023
      • Release Notes: July 2023
      • Release Notes: August 2023
      • Release Notes: September 2023
      • Release Notes: October 2023
      • Release Notes: November 2023
      • Release Notes: December 2023
    • 2022
      • Release Notes: January 2022
      • Release Notes: February 2022
      • Release Notes: March 2022
      • Release Notes: April 2022
      • Release Notes: May 2022
      • Release Notes: June 2022
      • Release Notes: July 2022
      • Release Notes: August 2022
      • Release Notes: September 2022
      • Release Notes: October 2022
      • Release Notes: November 2022
      • Release Notes: December 2022
    • 2021
      • Release Notes: January 2021
      • Release Notes: February 2021
      • Release Notes: March 2021
      • Release Notes: April 2021
      • Release Notes: May 2021
      • Release Notes: June 2021
      • Release Notes: July 2021
      • Release Notes: August 2021
      • Release Notes: September 2021
      • Release Notes: October 2021
      • Release Notes: November 2021
      • Release Notes: December 2021
    • 2020
      • Release Notes: January 2020
      • Release Notes: February 2020
      • Release Notes: March 2020
      • Release Notes: April 2020
      • Release Notes: May 2020
      • Release Notes: June 2020
      • Release Notes: July 2020
      • Release Notes: August 2020
      • Release Notes: September 2020
      • Release Notes: October 2020
      • Release Notes: November 2020
      • Release Notes: December 2020
    • 2019
      • Release Notes: 2019-01-08
      • Release Notes: 2019-02-06
      • Release Notes: 2019-02-20
      • Release Notes: 2019-03-06
      • Release Notes: 2019-03-19
      • Release Notes: 2019-04-02
      • Release Notes: 2019-04-30
      • Release Notes: 2019-05-14
      • Release Notes: 2019-05-30
      • Release Notes: 2019-06-11
      • Release Notes: 2019-07-23
      • Release Notes: 2019-08-06
      • Release Notes: 2019-08-20
      • Release Notes: 2019-09-03
      • Release Notes: 2019-09-17
      • Release Notes: 2019-10-03
      • Release Notes: 2019-10-15
      • Release Notes: 2019-10-29
      • Release Notes: 2019-11-12
      • Release Notes: 2019-11-26
      • Release Notes: 2019-12-10
    • 2018
      • Release Notes: 2018-01-10
      • Release Notes: 2018-01-17
      • Release Notes: 2018-01-31
      • Release Notes: 2018-02-14
      • Release Notes: 2018-03-07
      • Release Notes: 2018-03-14
      • Release Notes: 2018-03-28
      • Release Notes: 2018-04-11
      • Release Notes: 2018-04-25
      • Release Notes: 2018-05-09
      • Release Notes: 2018-05-23
      • Release Notes: 2018-06-06
      • Release Notes: 2018-06-20
      • Release Notes: 2018-07-03
      • Release Notes: 2018-07-18
      • Release Notes: 2018-08-01
      • Release Notes: 2018-08-15
      • Release Notes: 2018-08-29
      • Release Notes: 2018-09-12
      • Release Notes: 2018-09-26
      • Release Notes: 2018-10-10
      • Release Notes: 2018-10-23
      • Release Notes: 2018-11-13
      • Release Notes: 2018-11-27
      • Release Notes: 2018-12-18
    • 2017
      • Release Notes: 2017-01-04
      • Release Notes: 2017-01-18
      • Release Notes: 2017-02-01
      • Release Notes: 2017-02-16
      • Release Notes: 2017-03-02
      • Release Notes: 2017-03-15
      • Release Notes: 2017-03-29
      • Release Notes: 2017-04-12
      • Release Notes: 2017-04-26
      • Release Notes: 2017-05-10
      • Release Notes: 2017-05-24
      • Release Notes: 2017-06-06
      • Release Notes: 2017-06-21
      • Release Notes: 2017-07-07
      • Release Notes: 2017-07-19
      • Release Notes: 2017-08-02
      • Release Notes: 2017-08-16
      • Release Notes: 2017-08-30
      • Release Notes: 2017-09-13
      • Release Notes: 2017-09-27
      • Release Notes: 2017-10-12
      • Release Notes: 2017-10-25
      • Release Notes: 2017-11-08
      • Release Notes: 2017-11-29
      • Release Notes: 2017-12-13
    • 2016
      • Release Notes: 2016-01-06
      • Release Notes: 2016-01-20
      • Release Notes: 2016-02-03
      • Release Notes: 2016-02-17
      • Release Notes: 2016-03-02
      • Release Notes: 2016-03-16
      • Release Notes: 2016-03-30
      • Release Notes: 2016-04-13
      • Release Notes: 2016-04-27
      • Release Notes: 2016-05-11
      • Release Notes: 2016-05-25
      • Release Notes: 2016-06-08
      • Release Notes: 2016-06-22
      • Release Notes: 2016-07-06
      • Release Notes: 2016-07-20
      • Release Notes: 2016-08-03
      • Release Notes: 2016-08-17
      • Release Notes: 2016-08-31
      • Release Notes: 2016-09-14
      • Release Notes: 2016-09-28
      • Release Notes: 2016-10-12
      • Release Notes: 2016-10-26
      • Release Notes: 2016-11-09
      • Release Notes: 2016-11-23
      • Release Notes: 2016-12-07
      • Release Notes: 2016-12-21
    • 2015
      • Release Notes: 2015-01-07
      • Release Notes: 2015-01-21
      • Release Notes: 2015-02-04
      • Release Notes: 2015-02-18
      • Release Notes: 2015-03-04
      • Release Notes: 2015-04-01
      • Release Notes: 2015-04-15
      • Release Notes: 2015-04-29
      • Release Notes: 2015-05-13
      • Release Notes: 2015-05-27
      • Release Notes: 2015-06-10
      • Release Notes: 2015-06-24
      • Release Notes: 2015-07-08
      • Release Notes: 2015-07-22
      • Release Notes: 2015-08-05
      • Release Notes: 2015-08-19
      • Release Notes: 2015-09-16
      • Release Notes: 2015-09-30
      • Release Notes: 2015-10-14
      • Release Notes: 2015-10-28
      • Release Notes: 2015-11-11
      • Release Notes: 2015-12-02
      • Release Notes: 2015-12-16
    • 2014
      • Release Notes: 2014-01-09
      • Release Notes: 2014-01-22
      • Release Notes: 2014-02-05
      • Release Notes: 2014-03-05
      • Release Notes: 2014-03-19
      • Release Notes: 2014-04-09
      • Release Notes: 2014-04-30
      • Release Notes: 2014-06-04
      • Release Notes: 2014-06-11
      • Release Notes: 2014-06-26
      • Release Notes: 2014-07-09
      • Release Notes: 2014-07-23
      • Release Notes: 2014-08-20
      • Release Notes: 2014-09-04
      • Release Notes: 2014-09-17
      • Release Notes: 2014-10-01
      • Release Notes: 2014-10-15
      • Release Notes: 2014-10-29
      • Release Notes: 2014-11-12
    • 2013
      • Release Notes: 2013-01-08
      • Release Notes: 2013-02-27
      • Release Notes: 2013-03-20
      • Release Notes: 2013-04-02
      • Release Notes: 2013-04-17
      • Release Notes: 2013-05-01
      • Release Notes: 2013-05-21
      • Release Notes: 2013-06-11
      • Release Notes: 2013-06-18
      • Release Notes: 2013-07-10
      • Release Notes: 2013-07-24
      • Release Notes: 2013-08-07
      • Release Notes: 2013-09-05
      • Release Notes: 2013-09-18
      • Release Notes: 2013-10-02
      • Release Notes: 2013-10-30
      • Release Notes: 2013-11-13
      • Release Notes: 2013-11-27
    • 2012
      • Release Notes: 2012-03-28
      • Release Notes: 2012-04-11
      • Release Notes: 2012-04-24
      • Release Notes: 2012-05-22
      • Release Notes: 2012-06-05
      • Release Notes: 2012-06-20
      • Release Notes: 2012-08-01
      • Release Notes: 2012-08-28
On this page
  • Who SAML JIT Provisioning Is For
  • Prerequisites
  • First Login
  • Existing User Login
  • Role Mapping
  • Creating Attributes and Roles in Your IdP and ThousandEyes (Steps 1 and 2)
  • Linking Your IdP and ThousandEyes Roles (Step 3)
  • Editing SAML JIT Settings
  • Removing SAML JIT Settings
  • Troubleshooting SAML JIT
  1. Product Documentation
  2. Account Management
  3. User Registration

SAML JIT Provisioning

PreviousUser RegistrationNextThousandEyes Support for SCIM

Last updated 2 months ago

just-in-time (JIT) provisioning offers SAML’s traditional authentication standard to verify who’s trying to log in. Importantly, it also creates users in a service provider (in this case, ThousandEyes), who may not have been provisioned (given authorized access) through any other method yet. This is called just-in-time provisioning because it does not require any user list to be pre-loaded into the system before authentication can happen, but provisions (authorizes) them on the spot.

SAML JIT provisioning, by its nature, overrides any previous user record, as it freshly provisions a user every time they log in. This means that if your organization previously used SCIM, or any other method to provision users, and switches to SAML JIT provisioning, SAML JIT will override any previous user records, and will continue to do so with every login. This helps to keep user records up-to-date.

Who SAML JIT Provisioning Is For

Anyone can use SAML JIT provisioning but it is best leveraged by organizations who have a large user base, have users in many and varied roles or account groups, and who need the flexibility to define different permissions for different roles across different account groups. Large organizations with a shifting workforce (e.g. seasonal workers) or with large customer support centers might fit this bill, for example.

Prerequisites

Before configuring, here's what you need:

  • A ThousandEyes account assigned a role with the following permissions:

    • Edit security & authentication settings

    • Edit users in all account groups

    • View security & authentication settings

    • View all account groups settings OR View agents in account group OR View all users

    • View roles OR View all users

  • An account or subscription to the IdP (identity provider) of your choice.

  • SSO authentication enabled. See for instructions on implementing SSO.

When you enable SAML JIT provisioning, you must also switch the Enable SSO toggle to “on” in the Single Sign On (SSO) section within Manage > Account Settings > Organization Settings > Security and Authentication if not already done so. You may switch the Force SSO toggle on and off, but you cannot disable SSO entirely while using SAML JIT provisioning.

If not already done so, you must configure your SSO settings first before configuring your SAML JIT settings.

You must also assert role information from your IdP alongside identity information.

First Login

When SSO and SAML JIT provisioning are enabled and configured correctly in ThousandEyes, there are two ways to initiate provisioning and login for first-time users of ThousandEyes.

  1. IdP-initiated. This method works for any new user.

    a. Log in to your IdP first; this verifies the credentials you need to log in to ThousandEyes.

    b. “Launch” ThousandEyes from your IdP; this sends the IdP’s SAML assertion to ThousandEyes, which we then validate, provision you, and grant you an active session.

  2. Automatic SP-initiated. This method is ideal for partners or multi-service providers (MSPs), for example, to smooth the process for their customers, who can click the pre-filled link and automatically be redirected to their IdP for authentication into ThousandEyes.

    a. Type or paste https://app.thousandeyes.com/login/sso?fwd=/account/switch/<AID>&idp=<IdpIssuer> into your browser.

    c. When you hit Enter, we will redirect you to login/authenticate with your IdP.

    d. Your IdP will then redirect you back to ThousandEyes, having been validated, provisioned and logged in.

Existing User Login

Once you have been provisioned the first time into ThousandEyes, you can re-enter ThousandEyes through the above user-flows, or you can provide your email address into the ThousandEyes login screen directly. If you are not already authenticated with your IdP, we will redirect you to your IdP to authenticate, and your IdP will send you back to ThousandEyes, re-provisioned and logged in.

Role Mapping

SAML JIT provisioning relies on the mapping of roles within your IdP to roles within ThousandEyes. There are typically three parts to setting up this mapping:

  1. If not already done so, setting up relevant attributes and roles within your IdP.

    • You can also use attributes and roles that you have already set up in your IdP.

  2. Setting up equivalent roles in ThousandEyes.

  3. Linking the two sets of roles.

Creating Attributes and Roles in Your IdP and ThousandEyes (Steps 1 and 2)

While different IdPs might allow you to group individuals in different ways (some may use the term “group”, some “role”, some a combination), the common thread across all IdPs is the idea of grouping. Your aim is to decide which group(s) of individuals you want to have access to ThousandEyes and distinguish those groups through an overarching attribute.

An attribute is like the key in a key:value pair – it defines the range of allowable values for that data type. Examples of attributes might include “cost center” or “department”, which defines a grouping and possibly even a location of employees. For an attribute like “department”, the roles (or values) could include “IT”, “account management”, and “call center”. You may only define one attribute whose roles map to ThousandEyes roles.

The above IdP roles might easily map to ThousandEyes’ three built-in roles: Organization Admin, Account Admin, and Regular User, as they have respectively restrictive permission sets that reflect the account access needs of each type of user. However, the role names in your IdP and those in ThousandEyes must match exactly. A role name of “IT” in your IdP will not be able to map to the role name of “Organization Admin” in ThousandEyes.

SAML JIT provisioning requires role designations in both your IdP and ThousandEyes because SAML JIT provisioning requires a step to authorize your users (differentiating it from SAML SSO which only authenticates them). Authorization implies a specific set of permissions. In ThousandEyes, permissions are attached to a role.

Therefore, you must, if you have not already done so:

  1. Define in your IdP one attribute for everyone who needs access to ThousandEyes.

  2. Define in your IdP the different roles for your users within your defined attribute.

You can name the attribute and roles in your IdP anything you like. They must, however, be replicated exactly in ThousandEyes, which is sensitive to case, spacing and special characters.

Linking Your IdP and ThousandEyes Roles (Step 3)

Once you have set up SSO in ThousandEyes and created matching roles within your IdP and ThousandEyes, you’re ready to link them.

  1. Go to Manage > Account Settings > Organization Settings > Security and Authentication.

  2. Scroll to User Provisioning > SAML Justi-In-Time Settings.

  3. Switch the Enable toggle on.

    • Note: As SAML JIT overwrites provisioning at every login, we do not recommend using SAML JIT and SCIM provisioning at the same time.

  4. Select the SAML Role Name Attribute you want to map across.

    • If the role name attribute is not listed in the dropdown, choose “Custom…” to type in a new role name attribute.

  5. In the Role dropdown, choose a role you want to add.

  6. In the Account Groups dropdown, check all the account groups you want your role to have access to.

  7. Click the “+ Add mapping” or “-“ buttons to add or remove as many roles/account groups as you need.

  1. Click Save.

Editing SAML JIT Settings

Once you have successfully set up your SAML JIT provisioning, you can edit your settings at any time.

  1. Return to to Manage > Account Settings > Organization Settings > Security and Authentication > User Provisioning > SAML Just-In-Time Settings.

  2. To change attributes, select or type in a new attribute name.

  3. To change roles, choose a new role from the dropdown. (Hint: you must first have created a new role within Manage > Account Settings > User and Roles > Roles before it will appear in the dropdown.)

  4. To change the number of account groups your roles have access to, check or uncheck the relevant account groups in the Account Groups dropdown.

  5. Click Save.

Removing SAML JIT Settings

To stop using SAML JIT provisioning, slide the Enable toggle to the left to disable it. All your settings remain in place, but are simply disabled.

Troubleshooting SAML JIT

Often, trouble logging in through SAML JIT provisioning is caused by a configuration error in either the SAML JIT or SSO sections of the ThousandEyes platform. We list below the most common errors.

  1. IdP Issuer or SP Issuer don’t match. If both toggles are enabled as per error #1, above, check in the ThousandEyes SSO configuration that the Identity Provider Issuer exactly matches your IdP’s Entity ID and that the Service Provider Issuer exactly matches the “service provider entityId” that you set up in your IdP. The SAML response assertion that ThousandEyes receives after you authenticate with your IdP contains these fields. Any error will cause authentication to fail in ThousandEyes.

  2. Role names don’t match. The SAML response assertion also contains the attribute name and role for the user. If the attribute name or role in ThousandEyes does not exactly match those of the IdP, authentication will fail.

  3. No email address. The email address of the user is also passed through the SAML response assertion. In most cases, this is passed via the NameID assertion. However, if it is not passed through this assertion, it must be assigned to an attribute that contains the email address of the user, such as emailAddress, name or Email. The authentication will fail if an email address cannot be found somewhere within the response body. If you’re uncertain how to check the response body, email support@thousandeyes.com.

b. Replace <AID> with your ThousandEyes account group ID, which can be found via the API call, and replace <IdpIssuer> with the Identity Provider Issuer URL found within your SSO Configuration panel. (These are likely to be pre-filled for you by, for example, your partner or MSP.)

Replicate in ThousandEyes those exact role names and apply the relevant permissions to each role. See and for more about how to create new, or clone current, roles.

Every organization should have at least one person with the equivalent of the ThousandEyes Organization Admin role – often, the first registered user gets this role by default. This role contains all the and SAML JIT permissions that enables the organization to continue to manage its users and the SAML JIT feature. Deleting the mapping for the Organization Admin role, or its equivalent, can prevent users from accessing the permissions needed to do these vital management tasks. We recommend not deleting the mapping for any role containing the management and SAML JIT permissions unless there is another role available with the same permissions.

SAML JIT or SSO not enabled. If no new users can log in with either of the methods outlined in , check that both SSO and SAML JIT provisioning are Enabled.

SAML (Security Assertion Markup Language)
How to Configure Single Sign-On (SSO)
List account groups
Creating a Custom Role
Built-In Roles
management permissions
First Login
Enabling SAML JIT provisioning
Role name attribute
Role dropdown
Account groups dropdown
+ Add mapping button
Save button
Enabled toggles for SSO and SAML JIT
IdP and SP Issuer fields
Attribute and role fields