Configuring single sign-on (SSO) using Centrify

For partners subscribed to Basic with SSO 2021, Select with SSO 2021, and Enterprise plans.

In this article, you'll learn how to configure SSO on your IT Glue account using Centrify. This integration lets your users log in to IT Glue with the same credentials that they use to log in to other cloud-based apps.

If you are configuring SSO for MyGlue using Centrify, the instructions are the same but you will need to enter different values when configuring Centrify and your MyGlue account settings page. Click here to see the different values that you'll need to substitute in at key steps within this KB article.

Prerequisites

  • You must have Administrator level access to IT Glue to configure SSO on your account.
  • Ensure your users are provisioned in the identity provider (Centrify), with exactly the same email address as their IT Glue account. We don’t create user accounts under SSO.
  • Before turning this feature on, log in to your IT Glue account twice - once in a regular browser and once in an incognito/private window. This is to ensure that you are still logged in to your account if you get locked out in the other window. Alternatively, you can also log in to two separate browsers.

Instructions

Configuring Centrify

These instructions will walk you through the steps to configure Centrify SSO. If you run into any problems, you can also refer to Centrify's documentation.

  1. From the Centrify Admin Portal, navigate to Apps > Web Apps > Add Web Apps.
    Admin_Portal.png
  2. In the Add Web Apps window, click the Custom tab.
    Admin_Portal-2.png
  3. Find the SAML web application and click Add. Click Yes to add the application and then click Close. The application is now added.
    Screen_Shot_2019-05-16_at_11_18_42_AM-2-2-2.png
  4. The application that you just added opens in the Settings page.
  5. Click Trust in the left-hand menu.

    Admin_Portal-5.png

In the Trust page, you will enter the fields and controls for SAML information that will be required by the web application Service Provider. There are two main sections in this page: Identity Provider Configuration and Service Provider Configuration.

  • Identity Provider Configuration - The default selection in this section is Metadata. Leave all the field as is.
  • Service Provider Configuration - Click on the Manual Configuration radio button. Update the following fields and click Save when finished.
Fields in Centrify Value to be Entered
SP Entity ID / Issuer / Audience - Enter the Entity ID that your SAML application vendor supplies. This Entity ID is also known as Service Provider Issuer or Audience. https://domain.itglue.com/
Assertion Consumer Service (ACS) URL - The Assertion Consumer Service (ACS) URL specifies the URL to which the Centrify Privileged Access Service sends the SAML response. https://domain.itglue.com/saml/consume
Recipient Same as ACS URL

Checked

NOTE  Only uncheck the checkbox and enter the Recipient value when the Service Provider instructs you to do so.
Sign Response or Assertion - The Service Provider will specify the Response or Assertion to be signed. Click the applicable button. Response
<NameID> Format - The Service Provider will specify the NameID format to use. If unknown, leave the format as unspecified. Change from “unspecified” to emailAddress
Authentication Context Class - If the Service Provider specifies the Authentication Context Class to use, select the applicable option. If unknown, leave the option as unspecified. Unspecified

Admin_Portal-6.png

  1. Click on SAML Response in the left-hand column.
  2. In the Custom Logic field, delete the default script and paste the below text replacing subdomain with your IT Glue subdomain. Click on the Save button. 
    setVersion('2');
setIssuer(Issuer);
setSubjectName(LoginUser.Username);
setNameFormat('emailAddress');
setAudience('https://subdomain.itglue.com');
setRecipient(ServiceUrl);
setSignatureType('Response');
setHttpDestination(ServiceUrl);

    Admin_Portal-7.png

  3. Click on Permissions in the left-hand column and then on Add.
    Admin_Portal-8.png
  4. In the Select User, Group, or Role window that appears, use the search bar to find a user.
  5. Click the checkbox beside the user's name and click Add.
    Admin_Portal-9.png
  6. In the Permissions screen, ensure that Grant, View, Run, and Automatically Deploy are all checked. Click the Save button.
    Admin_Portal-10.png
  7. Click on Account Mapping in the left-hand menu.
  8. Under Directory Service field name, type in mail, and then click on the Save button.
    Admin_Portal-11.png

Leave the Centrify window open as you continue on to configuring IT Glue. You will need to refer to it frequently in the next section of this KB.

Configuring IT Glue

After setting up Centrify, you need to configure your IT Glue account to authenticate using SAML.

IMPORTANT  It's highly recommended that before you begin the below set of instructions, log in to your IT Glue account twice - once in a regular browser and once in an incognito/private window. Alternatively, you can also log in to two separate browsers. This is to ensure that you are still logged in to your account in case you are locked out in the other window.

  1. Log in to IT Glue and click Account in the top navigation bar.
  2. Click Settings in the sidebar.
    Account_Settings___IT_Glue.png
  3. Click on the Authentication tab and then turn the Enable SAML SSO toggle switch to ON.Once this is turned on, a form will appear. You will need to collect information from Centrify and enter it into this form.
    Configuring_single_sign-on__SSO__using_Centrify_-_REVISION_-_Google_Docs-4.png
    • Issuer URL:
      • Navigate to Centrify > Apps > Web Apps > Your SAML Application > Trust.
      • In the Identity Provider Configuration section, click the Metadata radio button, expand the IdP Entity ID / Issuer heading, and click Copy.
      • Paste the link into the Issuer URL field in IT Glue.
        Admin_Portal-12.png
    • SAML Login Endpoint URL:
      • Navigate to Centrify > Apps > Web Apps > Your SAML Application > Trust.
      • In the Identity Provider Configuration section, click the Manual Configuration radio button, and click Copy in the Single Sign On URL section.
      • Paste the link into the SAML Login Endpoint URL field in IT Glue.
        Admin_Portal-13.png
    • SAML Logout Endpoint URL:
      • Navigate to Centrify > Apps > Web Apps > Your SAML Application > Trust.
      • In the Identity Provider Configuration section, click the Manual Configuration radio button, and click Copy in the Single Logout URL section.
      • Paste the link into the SAML Logout Endpoint URL field in IT Glue.
        Note: IT Glue does not support SSO logout URLs.

        Admin_Portal-14.png
    • Fingerprint
      • Navigate to Centrify > Apps > Web Apps > Your SAML Application > Trust.
      • In the Identity Provider Configuration section, click the Manual Configuration radio button and expand the Signing Certificate heading.
      • Copy and paste the thumbprint into the Fingerprint field in IT Glue.

        NOTE  The Centrify Default Tenant Application Certificate can be used, or you can upload your own base-64 encoded X.509 certificate. But be sure to upload the certificate prior to entering any Centrify URLs and the Centrify thumbprint in IT Glue.


        Admin_Portal-15.png
    • Certificate:
      • In the Identity Provider Configuration section, click the Manual Configuration radio button and expand the Signing Certificate heading.
      • Click the Download button and open the certificate.
      • Paste the certificate into the Certificate field in IT Glue.
        Account_Settings___IT_Glue-2.png

        IMPORTANT  Ensure there are no extra spaces trailing at the end of the Certificate string (i.e. after -----END CERTIFICATE-----).

Configuring MyGlue

If you are setting up SSO for MyGlue, complete all steps as instructed in the Configuring Centrify  section. However, in step 5 and 8, you need to substitute different values as follows:

  • SP Entity ID / Issuer / Audience - https://app.myglue.com 
  • Assertion Consumer Service (ACS) URL - https://app.myglue.com/saml/consume 
  • In the Custom Logic field, delete the default script and paste the below text. For EU partners, use https://app.eu.myglue.com in the setAudience line. 
    setVersion('2');
setIssuer(Issuer);
setSubjectName(LoginUser.Username);
setNameFormat('emailAddress');
setAudience('https://app.myglue.com');
setRecipient(ServiceUrl);
setSignatureType('Response');
setHttpDestination(ServiceUrl);

Testing SSO authentication

Before you configured SSO, you should have created two IT Glue browser sessions. If you get locked out, you will be able to use the incognito/private window to turn off SSO while you investigate the cause.

To make sure SSO is working, perform these steps:

  1. Log out of and close any Centrify browser sessions you have open.
  2. In a new browser session, navigate to your IT Glue account subdomain (mycompany.itglue.com) directly. This should redirect you to the identity provider.
  3. Enter your SSO credentials.

After entering your credentials, you should be redirected and logged in to IT Glue.

NOTE  After you test access to IT Glue, determine whether to configure rules in Centrify to require the use of MFA via SSO to access IT Glue.

Common Questions

When the SSO server is unavailable, how do we access our accounts?

If your SSO provider's service is unavailable, you can still login using your IT Glue username and password at app.itglue.com.

If your SSO is not working, confirm your provider's service is available. Send us an email for assistance.

How do we disable SSO for a user?

To disable a user account, an Administrator or a Manager will need to navigate to the Account > Users page in IT Glue. We don’t currently support disabling user accounts through the SSO server.