ThousandEyes documentation is now hosted at docs.thousandeyes.com. Content on this site will no longer be updated.
Take me to the new site...

How to configure Single Sign-On with Azure Active Directory

Last updated: Thu Apr 09 23:46:14 GMT 2020

For the security of your SaaS-based infrastructure and the convenience of users in your organization, the ThousandEyes service offers login via single sign-on (SSO). ThousandEyes supports SAML2-based identity providers for single sign-on. There are two steps to set up single sign-on: the service provider configuration, which is done within ThousandEyes, and the identity provider configuration, done within your SSO system.  In this configuration example, we use Microsoft Azure Active Directory as the identity provider.

Table of contents

Prerequisites

Configuration is simple. Here's what you need:

  • ThousandEyes account assigned a role with the Edit security & authentication settings permission
  • An Azure AD subscription. 

Identity Provider side setup

Step by step procedure is outlined below:
  1. Log into portal.azure.com.
  2. Go to Azure Active Directory > Enterprise applications > Add an application and search for ThousandEyes. Skip to step 4 if configuring a custom application.
Add-an-application
  1. Click the ThousandEyes Enterprise application and Add
add-thousandeyes
  1. Once you click Add, the Enterprise Application will open up as below:
ThousandEyes-app
  1. Users can be assigned to the app using the Assign users and groups option. Consult the How to setup SCIM with Azure Active Directory to setup automatic user provisioning.
  2. Once users are assigned click Single sign-on from the side pane and select SAML as a Sign on method.saml
  3. Configure the  Basic SAML Configuration section fields as below: 
IdP-Fields
  1. Download the Federation Metadata XML from SAML Signing Certificate section.
download-xml

ThousandEyes Side setup

  1. Login to ThousandEyes
  2. Go to Account Settings > Organization Settings
  3. Check the Enable Single Sign-On box and select Metadata File as the Configuration Type. Import the metadata file from step 9 of previous section using the Import File button.
metadata-import
  1. Check the Override box for Logout Page URL and clear the field. Please ensure the Service Provider Issuer field matches the Identifier (Entity ID) in Azure side as seen in step 7 of Identity Provider's side Setup and Save
logout-clear
 

Testing SSO

ThousandEyes support both the IdP initiated and SP initiated Single Sign on, the below sections will guide you through testing them.

Identity Provider initiated SSO

Login to Log into portal.azure.com and go to Azure Active Directory > Enterprise applications > ThousandEyes > Single sign-on. Scroll down and click the Test button in Test single sign-on with ThousandEyes section. Click Sign in as current user button in the side pane that opens up.
test-idp-initiated
The test will open up a new tab and log you into ThousandEyes! 

Service Provider initiated SSO

Go to Account Settings > Organization Settings in ThousandEyes and click Run Single Sign-On Test button. The results will appear in Single Sign-On Test Results section as can be seen below.
SP-initiated-test