Setting up single sign-on (SSO) to IT Glue

Introduction

If you're the Administrator on an Enterprise plan, you can let team members access IT Glue by logging in to a central identity provider. Single sign-on (SSO) provides an easy way to access multiple websites or applications using a single account.

Note: This topic provides an overview of the SAML (Security Assertion Markup Language) SSO option in your account settings. We also support JWT-based SSO.

To configure SAML settings for SSO, you need an identity provider that supports SAML 2.0. This widely supported protocol enables web-based authentication scenarios including cross-domain SSO and federated authentication between SaaS applications, like IT Glue, and on-premise directory systems, such as Active Directory. The key to this feature is the intermediary SAML SSO server – also known as the identity provider.

How it works

Authentication to your subdomain (mycompany.itglue.com) is handled by your identity provider. Whenever IT Glue or one of your other apps or sites wants to authenticate you via SSO, they'll redirect you to the identity provider. If you are not logged in, you can log in using your SSO credentials. But if you're already logged in, you won't need to log in again. You are immediately redirected back to IT Glue with the necessary authentication token. This token is used to verify that you are authenticated with the identity provider.

Get Started

Important. It's highly recommended that before you begin the below set of instructions, log in to your IT Glue account twice - once in a regular browser and once in an incognito/private window. Alternatively, you can also log in to two separate browsers. This is to ensure that you are still logged in to your account in case you are locked out in the other window.

Start by logging in to IT Glue as an Administrator and navigating to the SSO configuration settings of the identity provider, so that you can configure the two simultaneously. Each of your users will need to be provisioned in the identity provider, with exactly the same email address as their IT Glue user account, since that is how IT Glue will identify them.

After configuring SSO in your identity provider, return to IT Glue, navigate to Admin > Settings > Authentication, enable SAML SSO, and paste the following identity provider data in to IT Glue.

  • Issuer URL - The URL that uniquely identifies your SAML identity provider. Also called: Issuer, Identity Provider, Entity ID, IdP, IdP Metadata URL.
  • SAML Login Endpoint URL - The SAML login endpoint URL of the SAML server. IT Glue redirects to this URL for SSO if a session isn't already established. Also called: Sign-on URL, Remote login URL, SSO URL, SSO Endpoint, SAML 2.0 URL, Identity Provider Sign-in URL, IdP Login URL, Single Sign-On Service URL.
  • SAML Logout Endpoint URL - A URL where IT Glue can redirect users after they sign out of IT Glue. Also called: SLO Endpoint, SAML Logout URL, Trusted URL, Identity Provider Sign-out URL, Single Sign-Out Service URL.
  • Fingerprint - The appropriate value based on the information provided by your identity provider. Also called: Thumbprint.
  • Certificate - The authentication certificate issued by your identity provider (a base-64 encoded X.509 certificate). Be sure to include the entire certificate, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE------. Also called: Public Certificate, X.509 Certificate.
    Note: IT Glue does not support SSO logout URLs.

    Enable_SAML_SSO.png

To allow users to log in only with their SSO provider, enable Enforce SSO Logins option.

You should now have a working SSO implementation for IT Glue which you can test by going to your subdomain (mycompany.itglue.com) in a new browser session. This process and the information asked for should be common to all identity providers.

Enable log in with KaseyaOne for IT Glue 

To enable log in with KaseyaOne for IT Glue, do the following:

  1. From the IT Glue home page, navigate to Admin > Settings > Authentication.
  2. Select the Enable Login with KaseyaOne toggle switch in the Single Sign-On (SSO) section.
    Enable_Login_KaseyaOne.png
    When you enable this toggle switch, the Require Log In with KaseyaOne toggle switch is also automatically enabled. This will forcedly redirect the user to KaseyaOne for authorization and then the user will be automatically logged in to IT Glue.
    Require_Login_With_KaseyaOne.png
    To log in to IT Glue without being forcedly redirected to KaseyaOne for authorization, the administrator should:
  3. To enable users in KaseyaOne who are granted access to IT Glue to have an IT Glue user created automatically, enable the option Enable Automatic User Provisioning.
    Enable_Automatic_Provisioning.png
  4. Choose a Role to be assigned to all new users created.
    Note: By default, the role type will be Editor.
  5. Assign these users to groups. You can select one, multiple or all groups individually or select the option Select All Groups to assign users to all the groups.
    Note: The Select All Groups option will be auto-selected for users with Administrator role. Lite users can be assigned to Groups, but there will not be any impact on which Organizations they can access.
  6. Select which IT Glue Organizations to which the users should have access by using any of the following options:
    • Add All
    • Remove All
    • Allow All Organizations
  7. Click Save to complete the process.
  8. After you select this switch, the KaseyaOne log in page automatically opens prompting you to enter your KaseyaOne (username, password, and company name) credentials and then the verification code.
    KaseyaOne_LoginPage.png

  9. After you have successfully logged in to KaseyaOne, you will be redirected back to the IT Glue portal.
    Unified login for IT Glue is now enabled and all users will automatically gain access to IT Glue via Log in with KaseyaOne.

Import all IT Glue users to KaseyaOne

After you enable the login with KaseyaOne for IT Glue, you can login to KaseyaOne and do the following steps to import all IT Glue users to KaseyaOne.

  1. Go to Admin Settings of your KaseyaOne account and access Import From Module > IT Glue.
    Import_From_Module.png
  2. Select the users to import and click Next.
    Select_Users.png
  3. Format the required KaseyaOne settings and click Next.
    KaseyaOne_Settings.png
  4. Click Import.
    Import_Users.png

All the IT Glue users you have selected will now be imported to KaseyaOne.

 

Related Items

If you use one of the identity providers listed below, we have written separate articles that explain how to configure and test your SAML SSO settings that you should read instead:

Have more questions?

Contact us

Was this article helpful?
1 out of 1 found this helpful

Provide feedback for the Documentation team!

Browse this section