For the security of your SaaS-based infrastructure and the convenience of users in your organization, the ThousandEyes service offers login via single sign-on (SSO). ThousandEyes supports SAML2-based identity providers for single sign-on. There are two steps to set up single sign-on: the service provider configuration, which is done within ThousandEyes, and the identity provider configuration, done within your SSO system.  In this configuration example, we use Microsoft Azure Active Directory as the identity provider.

Table of contents

• Prerequisites
• Identity Provider side setup
• ThousandEyes side setup
• Testing SSO
  • Identity Provider initiated SSO
  • Service Provider initiated SSO

Prerequisites

Configuration is simple. Here's what you need:

• ThousandEyes account assigned a role with the Edit security & authentication settings permission
• An Azure AD subscription. 

Identity Provider side setup

Step by step procedure is outlined below:

1. Log into portal.azure.com.
2. Go to Azure Active Directory > Enterprise applications > Add an application and search for ThousandEyes. Skip to step 4 if configuring a custom application.

3. Click the ThousandEyes Enterprise application and Add

4. Once you click Add, the Enterprise Application will open up as below:

5. Users can be assigned to the app using the Assign users and groups option. Consult the How to setup SCIM with Azure Active Directory to setup automatic user provisioning.
6. Once users are assigned click Single sign-on from the side pane and select SAML as a Sign on method.
7. Configure the  Basic SAML Configuration section fields as below: 
   • Identifier (Entity ID) : https://app.thousandeyes.com
   • Reply URL (Assertion Consumer Service URL) : https://app.thousandeyes.com/login/sso/acs
   • Logout Url: https://app.thousandeyes.com/logout/sso/slo
   • The Sign on URL  and Relay State are optional fields that need to be left blank.

8. Download the Federation Metadata XML from SAML Signing Certificate section.

ThousandEyes Side setup

1. Login to ThousandEyes
2. Go to Account Settings > Organization Settings
3. Check the Enable Single Sign-On box and select Metadata File as the Configuration Type. Import the metadata file from step 9 of previous section using the Import File button.

4. Check the Override box for Logout Page URL and clear the field. Please ensure the Service Provider Issuer field matches the Identifier (Entity ID) in Azure side as seen in step 7 of Identity Provider's side Setup and Save. 

Testing SSO

ThousandEyes support both the IdP initiated and SP initiated Single Sign on, the below sections will guide you through testing them.

Identity Provider initiated SSO

Login to Log into portal.azure.com and go to Azure Active Directory > Enterprise applications > ThousandEyes > Single sign-on. Scroll down and click the Test button in Test single sign-on with ThousandEyes section. Click Sign in as current user button in the side pane that opens up.

The test will open up a new tab and log you into ThousandEyes! 

Service Provider initiated SSO