- Identity Provider configuration, done within your SSO system (in this article we use PingOne)
- Service Provider configuration, which is done within ThousandEyes using one of the following options (the last two are normally easier and quicker to use):
- Static Configuration: requires manual settings of the parameters.
- Imported Metadata Configuration: a metadata file is used to configure the parameters.
- Dynamic Configuration: a URL is used to configure the parameters.
Prerequisites
Configuration is normally simple. Here's what you need:
- ThousandEyes account assigned a role with the Edit security & authentication settings permission
- A SAML2 authentication provider (in this example, PingOne)
Identity Provider configuration
- Log in to the PingOne Admin Console, and go to the Application Catalog tab of the Applications page.
- Search for "Thousand Eyes" and click on the logo to expand the details.
- Click the Setup button to open the configuration panel.
- If you want to use ThousandEyes Static Configuration, click on the Download button to save the Signing Certificate on your local drive.
- Again, only in case of ThousandEyes Static Configuration, copy the value of the idpid field of the query string, found at the end of the Initiate Single Sign-On (SSO) URL. Copy the string starting after the '=' character (see image below as example)
NOTE: the idpid is a unique identifier generated when the ThousandEyes application is added. If the ThousandEyes application is removed from the PingOne and re-added, the idpid will change, and require you to reconfigure per these steps). Append the idpid string to this URL: https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=An example of a complete URL:
https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=de8e56ff-fdb1-4a22-8963-fbcff6952a89
- At the bottom of the page click on Continue to Next Step to display the connection details:
- Click the Continue to Next Step button to display the attribute mapping.
- Click the Continue to Next Step button to display the application customization:
- Click the Save & Publish button to review the configuration: if you are using the Imported Metadata Configuration, then download the SAML Metadata file.
- Click the Finish button to complete the application setup.
- Go to the Users > User Groups tab and click on the Edit button of the Users@directory group name.
- Check the ThousandEyes (SSO) check-box and click the Save button.
- Go to Dashboard and click the Your PingOne dock URL link.
- The ThousandEyes application should be available in the dashboard when you go to your PingOne dock URL page:
- To add new users to the Signgle Sign-On, go to the Users page in PingIdentity and click the Add Users button. The new user can be "created" filling all the information or "invited" just providing the email address.
ThousandEyes static configuration
Follow these steps to configure your ThousandEyes organisation to use single sign-on:
- Log into ThousandEyes using an account with a role that has the Edit security & authentication settings permission.
- Open the Account Settings page and click the Security & Authentication tab.
- In the Setup Single Sign-On section, check the Enable Single Sign-On box.
- Click the Static Configuration button.
- Configure the Setup Single Sign-On fields according to the following settings and click the Save button.
- To test the configuration use the instructions provided here.
Login Page URL | Use the URL created at Step-5 of the Identity Provider configuration section. |
Logout Page URL | https://app.thousandeyes.com/login/sso |
Identity Provider Issuer | https://pingone.com/idp/thousandeyes |
Service Provider Issuer | https://www.thousandeyes.com |
Verification Certificate | Use the certificate file downloaded at Step-4 of the Identity Provider configuration section. |
IMPORTANT: Ensure that the Service Provider Issuer field matches the "service provider entityId" provided by PingOne. Any mismatch, including a protocol mismatch (http vs https) will cause the request to be rejected.
NOTE: The Logout Page URL is optional. If used, the URL should point to the page you wish your users to see when logging out of ThousandEyes.
ThousandEyes Imported Metadata Configuration
Follow these steps to configure your ThousandEyes organization to use single sign-on:
- Log into ThousandEyes using an account with a role that has the Edit security & authentication settings permission.
- Open the Account Settings page and click the Security & Authentication tab.
- Check the Enable Single Sign-On box.
- Click the Imported Metadata Configuration button.
- Click the Import File button and upload the Metadata XML File downloaded at Step-9 of the Identity Provider configuration section. The configuration section should populate with the SSO parameters (see screenshot below).
- Click the Save button.
- To test the configuration use the instructions provided here.
ThousandEyes Dynamic Configuration
At the moment PingOne does not support dynamic configuration, so the most automated way to configure SSO is using the Imported Metadata Configuration option.
Test the configuration in PingIdentity
- Log out of ThousandEyes.
- Go to Dashboard and click the Your PingOne dock URL:
- Click the ThousandEyes logo, you should automatically login into ThousandEyes.
Test the configuration in ThousandEyes
- In the ThousandEyes Security & Authentication tab, click the Run Single Sign-On Test button. This button is present in all the configuration types (Static, Imported Metadata and Dynamic), but it only needs to be checked once for the selected configuration.
- If the SSO is configured properly, you should get a message indicating success, as shown in this screenshot:
Logging in using SSO
- To log in to ThousandEyes, go to https://app.thousandeyes.com and click the Single Sign-On link.
- Input the SSO-enabled email address, and click the Log In button.
- When the PingOne authorization page appears, enter your email and password, and press the Sign On button, you should automatically log into ThousandEyes.
- Alternatively, users can access the ThousandEyes application through the user's PingOne dashboard. Please refer to the "Test the configuration in PingIdentity" section presented above.
Metadata details for troubleshooting
If your single sign-on login fails, verify that certain SAML settings are configured as below:
- Request Compression: Yes
- Assertion: Unsigned
- Response: Signed
- Destination: https://www.thousandeyes.com
- AuthnContextClassRef: PasswordProtectedTransport
- AudienceRestriction: https://www.thousandeyes.com
Note: The AudienceRestriction element generated by your identity provider's configuration must match exactly the value set for the Service Provider Issuer field in ThousandEyes. Any mismatch, including a protocol mismatch (http vs https) will cause the request to be rejected.
- Recipient: https://www.thousandeyes.com
- NameID Format: emailAddress
- Role: User
- AssertionConsumerServiceURL: https://app.thousandeyes.com/login/sso/acs