ThousandEyes

Before You Begin

Introduction

This document describes how to configure Oracle Identity Cloud Service to provide single sign-on (SSO) and user provisioning for ThousandEyes.

About ThousandEyes

ThousandEyes is a network intelligence platform that monitors network infrastructure, troubleshoots app delivery, and maps internet performance. ThousandEyes provides solutions for enterprise information technology, online operations, and network security.

After integrating ThousandEyes with Oracle Identity Cloud Service:

  • Users can use their Oracle Identity Cloud Service login credentials to access ThousandEyes.
  • Users can use the Oracle Identity Cloud Service My Apps console to launch ThousandEyes.
  • Administrators can use the Identity Cloud Service console to assign and revoke user access to the ThousandEyes app.

What Do You Need?

  • An Oracle Identity Cloud Service account with authorization rights to manage apps and users (by being assigned to the identity domain administrator or application administrator role).
  • A ThousandEyes account with authorization rights to configure federated authentication and user provisioning.
  • To make sure that the email ID of each user in ThousandEyes matches the primary email ID of the Oracle Identity Cloud Service user.
  • Identity provider metadata. Use the https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/metadata URL to access the metadata and save it in a text file. Use this file later to obtain the identity provider certificate in the "Obtaining the Identity Provider Certificate" section.

Obtaining the Identity Provider Certificate

Use this section to obtain the identity provider certificate in a format that's suitable for ThousandEyes.

  1. To access the identity provider metadata, use the https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/metadata URL.

  2. In the metadata file, locate the dsig:X509Certificate tags.

  3. Copy the content between the dsig:X509Certificate tags into a text file. This content is the Oracle Identity Cloud Service signing certificate.

    Image img1.png displays the metadata content with md:IDPSSODescriptor and dsig:X509Certificate tags highlighted.

  4. At the beginning of the content, add -----BEGIN CERTIFICATE-----.

  5. At the end of the content, add -----END CERTIFICATE----- .

    Image img2.png displays the text file with the certificate content highlighted.

  6. Save the text file in a .pem format. This is the identity provider certificate.

    Tip: Use this certificate later when you're configuring SSO for ThousandEyes in the "Configuring SSO for ThousandEyes" section.

Configuring SSO for ThousandEyes

  1. Using the https://app.thousandeyes.com URL, access ThousandEyes as an administrator. The ThousandEyes Dashboard page appears.

  2. In the upper-right corner, click the user icon, and then click Account Settings. The Account Settings page appears.

  3. Under the Profile tab, locate the User API Tokens section, and then make note of the Basic Authentication Token.

    Tip: Use this Basic Authentication Token while enabling user provisioning for the ThousandEyes app in Oracle Identity Cloud Service. See the "Enabling Provisioning" section.

  4. Locate and click the Organization tab.

  5. Next to Security & Authentication, click Edit.

  6. Under the Setup Single Sign-On section, select the Enable Single Sign-On check box.

  7. For Configuration Type, under the Static tab, use the following table to update the federated authentication attributes, and then click Save.

    Attribute Settings
    Login Page URL Enter the Login Page URL: https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/idp/sso.
    Identity Provider Issuer Enter the Entity ID/Issuer URL. Use the metadata file that you downloaded earlier in the "What Do You Need" section to obtain the Entity ID/Issuer URL. The Entity ID/Issuer URL information is located in the first line of the metadata.
    Service Provider Issuer Enter https://app.thousandeyes.com.
    Verification certificates Upload the certificate file that you obtained earlier in the "Obtaining the Identity Provider Certificate" section.

Configuring ThousandEyes in Oracle Identity Cloud Service

Use this section to register and activate the ThousandEyes app, and to enable provisioning and synchronization for ThousandEyes.

Registering and Activating the ThousandEyes App

  1. Access the Identity Cloud Service console, select Applications, and then click Add.

  2. Click App Catalog.

  3. Search for ThousandEyes, click Add, and then click Next.

  4. To enable provisioning and synchronization for ThousandEyes, click Next. Oracle Identity Cloud Service displays the Provisioning page.

Enabling Provisioning and Synchronization for ThousandEyes

Use this section to enable provisioning and synchronization for managing user accounts in ThousandEyes through Oracle Identity Cloud Service.

Enabling Provisioning

  1. In the Provisioning page, select Enable Provisioning.

  2. Under the Configure Connectivity section, enter the Administrator UserName and Basic Authentication Token.

    Note: You obtained the Basic Authentication Token while performing the steps in the "Configuring SSO for ThousandEyes" section.

  3. Click Test Connectivity. A success message is displayed, stating that the connection is successful.

  4. To view predefined attribute mappings between the user account fields defined in ThousandEyes and the corresponding fields defined in Oracle Identity Cloud Service, click Attribute Mapping, and then click OK.

    Note: To add a new attribute for provisioning, click Add Row, specify the attributes in the User and ThousandEyes Account columns, and then click OK. For example, if you want to add the External ID field, enter $(user.externalId) in the User column, and then select the corresponding field from the drop-down list in the ThousandEyes Account column.

  5. Specify the provisioning operations that you want to enable for ThousandEyes:

    Note: By default, the Create Account, Update Account, and Delete Account check boxes are selected.

    Create Account: Automatically creates a ThousandEyes account when ThousandEyes access is granted to the corresponding user in Oracle Identity Cloud Service.

    Update Account: Automatically updates a ThousandEyes account when the corresponding user is edited in Oracle Identity Cloud Service.

    Delete Account: Automatically removes an account from ThousandEyes when ThousandEyes access is revoked from the corresponding user in Oracle Identity Cloud Service.

Enabling Synchronization

  1. In the Provisioning page, select Enable Synchronization.

  2. From the User Identifier drop-down list, select the Oracle Identity Cloud Service user attribute that you want to match with the corresponding record fetched from ThousandEyes:

    Note: By default, the Primary Email Address option is selected from the drop-down list. Leave this default attribute for accurate synchronization of user records.

    Primary Email Address: Primary email address of the Oracle Identity Cloud Service user.

    User Name: User name of the Oracle Identity Cloud Service user.

  3. To match a ThousandEyes account attribute with the existing Oracle Identity Cloud Service user, select an attribute from the Application Identifier drop-down list.

    Note: By default, the name option is selected. This option represents the Email attribute of the ThousandEyes account. Don't change this default option.      

  4. From the When exact match is found drop-down list, select one of the following actions to be performed when a matching Oracle Identity Cloud Service user is found for an account:

    Link and confirm: Automatically links and confirms the matched account to the corresponding Oracle Identity Cloud Service user based on the defined User Identifier and Application Identifier fields. 

    Link but do not confirm: Automatically links all matched accounts to the corresponding Oracle Identity Cloud Service users based on the defined User Identifier and Application Identifier fields. You need to confirm the linked accounts manually. 

  5. In the Max. number of creates field, enter a number that's greater than or equal to 10. This value limits the number of accounts to be created during the synchronization run.

  6. In the Max. number of deletes field, enter a number that's greater than or equal to 10. This value limits the number of accounts to be deleted during the synchronization run.

    After enabling provisioning and synchronization for ThousandEyes, you can synchronize the existing account details from ThousandEyes and link them to the corresponding Oracle Identity Cloud Service users. For more information on performing synchronization tasks, see the Importing User Accounts from a Software as a Service Application section in Administering Oracle Identity Cloud Service.

    You can also manage ThousandEyes accounts through Oracle Identity Cloud Service. For more information on performing provisioning tasks, see the Managing Oracle Identity Cloud Service Users and Managing Oracle Identity Cloud Service Groups chapters in Administering Oracle Identity Cloud Service.

  7. Click Finish, Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Verifying the Integration

Use this section to verify that SSO works when initiated from Oracle Identity Cloud Service (an identity-provider-initiated SSO) and ThousandEyes (a service-provider-initiated SSO).

Verifying the Identity-Provider-Initiated SSO from Oracle Identity Cloud Service

  1. Using the https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole URL, access the Oracle Identity Cloud Service My Profile console.

  2. Log in using credentials for a user that's assigned to the ThousandEyes app. Under My Apps, Oracle Identity Cloud Service displays a shortcut to ThousandEyes.

  3. Click ThousandEyes. The ThousandEyes home page appears.

  4. In the upper-right corner of the header menu, click the user icon, and then confirm that the user that's logged in is the same for both ThousandEyes and Oracle Identity Cloud Service.

    This confirms that SSO that's initiated from Oracle Identity Cloud Service works.

Verifying the Service-Provider-Initiated SSO from ThousandEyes

  1. Using the https://app.thousandeyes.com URL, access ThousandEyes, and then click Single sign-on.

  2. Enter your email address, and then click Log In. You're redirected to the Oracle Identity Cloud Service Sign In page.

  3. Log in using credentials for a user that's assigned to the ThousandEyes app. The ThousandEyes home page appears.

  4. In the upper-right corner of the header menu, click the user icon, and then confirm that the user that's logged in is the same for both ThousandEyes and Oracle Identity Cloud Service.

    This confirms that SSO that's initiated from ThousandEyes works.

Troubleshooting

Use this section to locate solutions to common integration issues.

Known Issues

ThousandEyes displays the message, "Can't proceed with SSO authentication. Please review your email address."

Cause: When user accounts are synchronized, the user account imported from ThousandEyes is linked to an incorrect user in Oracle Identity Cloud Service.

Solution: Under the ThousandEyes application in Oracle Identity Cloud Service, ensure that the imported user account is linked to the correct user.

Oracle Identity Cloud Service displays the message, "You are not authorized to access the app. Contact your system administrator."

Cause 1: The SAML 2.0 integration between the Oracle Identity Cloud Service ThousandEyes app and ThousandEyes is deactivated.

Solution 1:

  • Access the Identity Cloud Service console, select Applications, and then select ThousandEyes.
  • In the App Details section, click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Cause 2: The administrator revokes access for the user at the same time that the user tries to access the ThousandEyes app using Oracle Identity Cloud Service.

Solution 2:

  • Access the Identity Cloud Service console, select Applications, and then select ThousandEyes.
  • In the App Details section, select Users, and then click Assign to reassign the user.

Unknown Issues

For unknown issues, contact Oracle Support:

  1. Go to https://support.oracle.com.

  2. Select Cloud Support, and then sign in with your support credentials.

  3. In the Cloud Dashboard, confirm that there are no planned outages in Oracle Identity Cloud Service, and then click Create Service Request.

  4. Select Oracle Identity Cloud Service as the service type.

  5. Complete your service request.