- Microsoft Entra SSO configuration & security groups for SAML JIT provisioning
- Creating users in Microsoft Entra
- Creating Security Groups and enabling access for ThousandEyes
- SettingAttributes and Claims
- ThousandEyes SSO configuration and role mappings
- Configuring ThousandEyes for SSO and JIT for user provisioning
- Adding new users to ThousandEyes initiated by the SP
This document is intended to work as a guide for implementing SSO with Microsoft Entra when accessing ThousandEyes as well as enabling SAML JIT for user provisioning and role mapping. The setup process is divided in 3 sections:
- Microsoft Entra SSO configuration & security groups for SAML JIT provisioning
- ThousandEyes SSO configuration and role mappings
- SP-initiated first-time user creation
Microsoft Entra SSO configuration & security groups for SAML JIT provisioning
Enabling Microsoft Entra SSO.
1. Sign in to the Microsoft Entra admin center with a user that has Cloud Application Administrator access.
2. Navigate to Applications > Enterprise applications > All Aplications and click on the New application button.
3. Search for ThousandEyes, select it and click Create.
4. Once the Application is deployed click on the “Set up single sign on” box and select SAML as the SSO method.
5. On the Set up single sign-on with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.
NOTE:
As per doc (https://docs.thousandeyes.com/product-documentation/user-management/sso/how-to-configure-single-sign-on-with-metadata) SSO can be configured using the TE Metadata file or with the following fields, but you can choose to manually configure it if desired.
Identifier (Entity ID) : http://app.thousandeyes.com
Reply URL: https://app.thousandeyes.com/login/sso/acs
Sign on URL: https://app.thousandeyes.com/login/sso
6. On the SAML Signing Certificate section, look for the Certificate (Base64) download button as well as the Federation Metadata XML and store both files in your computer as it will be required when you initiate the SSO config in ThousandEyes.
Creating users in Microsoft Entra
1. Browse to Users > All users, and on the top menu just besides the serch box, select New user > Create new user.
2. Create the desired user but be sure to remember the principal name as well as the display name which in this case is testuser1@grucocem.onmicrosoft.com.
Creating Security Groups and enabling access for ThousandEyes
1. Browse to Groups > All Groups and select New Group
1a) Set a group name, a group desciption (optional) and select members for this new group. It’s important to note that later we will define the group as an Attribute that SAML will use for role assignment in ThousandEyes.
2. Browse to Applications > Enterprise applications > ThousandEyes and under app's overview section, select Assign users and groups.
3. Under Add Assignment click on the None Selected link below Users and Groups so that all eligible users can be displayed.
3a) In the Users and groups dialog, select the user you want to add from the Users list, then click the Select button at the bottom of the screen.
Setting Attributes and Claims
1. Browse to Enterprise Applications > ThousandEyes > Single sign-on and select the Edit icon on the Attributes & Claims section
2. Click on the Add a group claim button and select “Groups assigned to the application” option and “Cloud-only group display names” as the Source ttribute. This will allow the Group display name to be sent as an Attibute on the SAML response.
ThousandEyes SSO configuration and role mappings
1. Sign in to ThousandEyes with a used that has Organization Admin privileges.
2. Create a new role so that your users provisioned in your IdP can get a dynamic assignation based on the SAML response configured. In this example this new role has to match the Group Name that was defined in Microsoft Entra.
Configuring ThousandEyes for SSO and JIT for user provisioning
3. Browse to Account Settings > Organization Settings and select the Enable SSO toggle.
4. Under configuration type select Metadata file and Import the metadata XML file that was downloaded from the Entra SAML Config. This will populate all the required IdP configuration.
5. For automatic user creation/rome mappigs, under the SAML JIT Settings, click on the Enable toggle, and select the SAML Role Name Attribute “http://schemas.microsoft.com/ws/2008/06/identity/claims/groups”, as well as the roles mapped which were recently created.
NOTE: Make sure that for this first time integration, A user with the same email address exists in ThousandEyes as well as in Microsoft Entra, since it will be used for SSO validation
6. Once the Role mapping is made, we’ll just need to click on the “Run Single Sign-On Test. This wll open a new pop up window where you will need to add your Microsoft user/pasword for authentication.
Adding new users to ThousandEyes initiated by the SP
This method is used when the admin would like to add new users by creating a custom URL that points to the ThousaneEyes URL and appends the account group token as well as the IdP issuer that was previously configured when setting up SSO.
1. Type or paste the following into your browser: https://app.thousandeyes.com/login/sso?fwd=/account/switch/<AID>&idp=<IdpIssuer>
NOTE: Replace <AID> with your ThousandEyes account group ID, and <IdpIssuer> with the Identity Provider Issuer URL found within your SSO Configuration panel.
2. When you hit Enter, we will redirect you to login/authenticate with your IdP so that the user can get authenticated.
3. Your IdP will then redirect you back to ThousandEyes, having been validated and the user created.
