SAML JIT Provisioning

Innovation Overview

ThousandEyes supports SAML JIT provisioning for streamlining user management and ensuring up-to-date user records. The identity provider (IDP) validates the users who try to log in. If the users do not exist in ThousandEyes, it automatically creates users in ThousandEyes instead of requiring the administrator to manually provision users through other methods. Any IDP supporting SAML JIT provisioning can be integrated with ThousandEyes.

Feature Highlights:

• Single Identity Store: With SAML JIT provisioning, the user identity can only reside within the SAML provider instead of ThousandEyes.

• Role Mapping: The roles or groups used in IDP can be mapped to those with the same name. Users assigned to each role will inherit ThousandEyes roles upon creation. 

• Easier First-time Login: Users are provisioned the first time they log in to ThousandEyes via IDP. There is no need to go through the user activation via email.

Customer Benefits:

• Secure Access Management: Customers with a large user base have users in many varied roles or account groups and need the flexibility to define different permissions for different roles across different account groups.

Here is an example of how to set up SAML JIT provisioning with Azure Entra ID:

1. SAML configuration in Azure Enterprise Application.

2. Set up SSO in ThousandEyes Organization setting.

3. Assign a user group to Azure application.

4. Under SSO configuration, add the group name as the SAML attribute.

5. Create a role matching the group name from Azure, and make sure SSO login permission allowed.

6. Enable the SAML Just-In-Time setting with the new role.

7. Run a single sign-on test from ThousandEyes using any user within the group.

8. Run the SSO test from Azure using the same user account.