Setting up Just-in-Time provisioning for SAML SSO

For partners subscribed to Basic with SSO 2021, Select with SSO 2021, and Enterprise plans.

Introduction

If you are using SAML (Security Assertion Markup Language) SSO with an identity provider supporting SAML 2.0, your configuration may be further customized to allow for Just-in-Time provisioning. This allows you to have IT Glue users created automatically the first time they access IT Glue using SSO.

How it works

Just-in-Time provisioning works with your SAML identity provider to pass key identifying information to the connected application using SAML 2.0. In IT Glue, this is the email address used to authenticate with the SAML identity provider.

Prerequisites

  • You must have Administrator level access to IT Glue.
  • SAML SSO Provider supporting SAML 2.0
  • You must already have single sign-on set up. Please see our Setting up single sign-on (SSO) to IT Glue KB article for more details.

Instructions

  1. Under Enable SAML SSO, set Auto-Provision IT Glue Users to On, and choose a Role to be assigned to all new users created through Just-in-Time provisioning. You can also assign these users to security groups and grant organizational access.


    Screen_Shot_2019-01-24_at_1.58.28_PM.png

  2. Click Save to complete the process.

That's it! Now when an user has provisioned IT Glue in their SSO application, clicking through to IT Glue will automatically provision a user for them with your configured default role, group membership, and organization access.

Configuring Group Assignment with Custom SAML Attributes

If your identity provider (e.g. Okta, OneLogin, Microsoft) uses custom attributes to group users, you can automatically add new users to these IT Glue groups using the existing SAML Auto-Provision IT Glue Users feature.

Okta

Prerequisite

  • The IDP provider must allow you to specify custom attributes.

Procedure

To add group attribute statements to the SAML assertion from Okta, follow these simple steps:

  1. In the Group Attribute Statements section in Okta:
    1. Enter the Name of the group attribute in your SAML app.
    2. Select a Name Format.
    3. Choose a filtering option for your expression: 
      • Starts with
      • Equals
      • Contains
      • Matches regex
    4. Enter the expression that will be used to match against the Okta GroupName values and added to the SAML assertion.
    5. Click Add Another to add an additional group statement.
    6. Repeat the steps until you define all necessary groups

      Group_Attributes.png

      The group names will now be passed in Okta SAML assertion. If the spelling for the sent groups matches an IT Glue group in terms of spelling, those groups will be applied during the creation of a new user in IT Glue.

Microsoft Azure Active Directory

Prerequisites

  • Access to Azure Active Directory Groups
  • Administrator role in IT Glue

Procedure

  1. Login into your Azure Active Directory Portal.
  2.  In the sidebar click Groups.
  3. Click on a group that you wish to use for automatic IT Glue group assignment.
  4. Click on the Copy icon to copy the value presented in the Object ID row.

    ObjectID.png
  5. In IT Glue, navigate to Account > Groups.
  6. Click Edit on a group you wish to use for automatic assignment.

    Edit_Group.png
  7.  In the Group Description field, paste the object ID from Azure AD with the following format.
        <ad-group-id:TENANT_GROUP_ID>
     Example:<ad-group-id:c8217c68-c016-4057-b4a1-08fb971b44bc>

    Group_Description.png
  8. Save your changes.

OneLogin

Prerequisite

  • Access to the OneLogin Administration panel.

Procedure

Manually add groups in the custom fields for each user in the OneLogin portal. When added, IT Glue  will be able to detect and match the groups for assignment.

  1. Login into your OneLogin Portal.
  2. Navigate to Users > Custom User Fields.
  3. Click New User Field to create the new custom field. Once created, the custom user fields appear on the edit user page below the personal information fields.

    CustomField.png

Group Matching Logic

The following table describes how the matching logic works between an IDP and IT Glue for various scenarios.

Scenario Matching Logic

Some groups from the IDP matches with IT Glue.

IT Glue applies as many groups that are successfully matched. The unmatched groups are not applied.

No Groups from the IDP match with IT Glue.

Group(s) specified in the Group Membership section of the Auto-Provision IT Glue Users feature are applied.

The IDP does not provide any group to IT Glue.

Group(s) specified in the Group Membership section of the Auto-Provision IT Glue Users feature are applied.

Common Questions

Do automatically provisioned users count towards my license usage?

All non-Lite users provisioned using Just-in-Time provisioning count towards your paid license usage.

Can I de-provision users through my SAML identity provider?

User de-provisioning is not supported through the SAML application. Please see our Adding and removing users KB article for more information on managing users.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us
Provide feedback for the Documentation team!