Configuring single sign-on (SSO) for Duo

For partners subscribed to Basic with SSO 2021, Select with SSO 2021, and Enterprise plans.

In this article, you'll learn how to configure SSO on your IT Glue account using Duo.

If you are configuring SSO for MyGlue using Duo, the instructions are the same but you will need to enter different values when configuring Duo and your MyGlue account settings page. Click here to see the different values that you'll need to substitute in at key steps within this KB article.

Prerequisites

  • You must have Administrator level access to IT Glue to configure SSO on your account.
  • Ensure your users are provisioned in the identity provider (Duo), with exactly the same email address as their IT Glue account. We don’t create user accounts under SSO.
  • Before turning this feature on, log in to your IT Glue account twice - once in a regular browser and once in an incognito/private window. This is to ensure that you are still logged in to your account if you get locked out in the other window. Alternatively, you can also log in to two separate browsers.

Instructions

Configuring Duo

  1. Log onto the Duo Admin Panel and navigate to Applications > Protect an Application in the left-hand menu.
  2. Type service provider in the search field and click Protect the Application in the search return.
    Protect_an_Application_-_Applications_-_IT_Glue_Test_-_Duo.png
  3. In the Service Provider section of the configuration page, enter the following information:
    • Service Provider Name - IT Glue
    • Entity ID - https://subdomain.itglue.com
    • Assertion Consumer Service - https://subdomain.itglue.com/saml/consume
      SAML_-_Service_Provider_-_Applications_-_IT_Glue_Test_-_Duo.png
  4. In the SAML Response section, use the settings shown below:
    generic-saml_2x-2.png
  5. Save the application and click on Download your configuration file.
    SAML_-_Service_Provider_-_Applications_-_IT_Glue_Test_-_Duo.png
  6. Navigate to the Duo Access Gateway server's console and click the Configure icon in the Duo Access Gateway application group.
  7. Click Applications and then on Choose File in the Add Applications section. Locate and upload the SAML application JSON file you downloaded in step 5.
    Duo_Access_Gateway_-_Generic_SAML_Service_Provider___Duo_Security.png
  8. Navigate back to the Duo Access Gateway page admin console's Applications page. You will need the information in the Metadata section in the next part of this KB article.
    Duo_Access_Gateway_-_Generic_SAML_Service_Provider___Duo_Security-2.png

Configuring IT Glue

After setting up Duo, you need to configure your IT Glue account to authenticate using SAML. You will need a few pieces of information from Duo to complete step.

IMPORTANT  It's highly recommended that before you begin the below set of instructions, log in to your IT Glue account twice - once in a regular browser and once in an incognito/private window. Alternatively, you can also log in to two separate browsers. This is to ensure that you are still logged in to your account in case you are locked out in the other window.

  1. Log in to IT Glue and click Account in the top navigation bar.
  2. Click Settings from the sidebar.
    Account_Settings___IT_Glue_copy.png
  3. Click on the Authentication tab and then turn the Enable SAML SSO toggle switch to ON. Once this is turned on, a form will appear. you will need to collect information from Duo and enter it into this form.
    Untitled-2_copy.png
    • Copy the Duo Entity ID and paste it into the IT Glue Issuer URL field.
    • Copy the Duo Login URL and paste it into the IT Glue SAML Login Endpoint URL field.
    • Copy the Duo Logout URL and paste it into the IT Glue SAML Logout Endpoint URL field.
    • Copy the Duo SHA-1 Fingerprint and paste it into the IT Glue Fingerprint field.
    • Download the Duo certificate and paste it into the IT Glue Certificate field.

      IMPORTANT  Ensure there are no extra spaces trailing at the end of the Certificate string (i.e. after -----END CERTIFICATE-----).
      Note: IT Glue does not support SSO logout URLs.

  4. Click Save to complete the setup of your account.

    IMPORTANT  Warning. Click Save only when all information has been entered. If you turn on SSO before the information is entered, it will break the login experience for all users on your account.

Once you make this change, you can test your account.

Configuring MyGlue

If you are setting up SSO for MyGlue, complete all steps as instructed in the Configuring Duosection. However, in step 3, you need to substitute different values as follows:

  • Service Provider Name - MyGlue
  • Entity ID - https://app.myglue.com
  • Assertion Consumer Service - https://app.myglue.com/saml/consume

How do we disable SSO for a user?

To disable a user account, an Administrator or a Manager will need to navigate to the Account > Users page in IT Glue. We don’t currently support disabling user accounts through the SSO server.