Configuring single sign-on (SSO) with Azure

For partners subscribed to Basic with SSO 2021, Select with SSO 2021, and Enterprise plans.

This article explains how to configure the SAML SSO integration of the new Azure AD portal and IT Glue. These instructions apply to the newer Azure portal interface.

If you are configuring SSO for MyGlue using Azure, the instructions are the same but you will need to enter different values when configuring Azure and your MyGlue account settings page. Click here to see the different values that you'll need to substitute in at key steps within this KB article.

Prerequisites

  • Microsoft Azure account with Azure AD Premium activated.
  • Administrator level access to IT Glue and a Global Admin or Co-admin account in Azure.
  • All of your users under your account in IT Glue will need an account in Azure Active Directory with exactly the same email address. We don’t create user accounts under SSO.
  • Before turning this feature on, log in to your IT Glue account twice - once in a regular browser and once in an incognito/private window. This is to ensure that you are still logged in to your account if you get locked out in the other window. Alternatively, you can also log in to two separate browsers.

Instructions

  1. Log in to the Azure portal (https://portal.azure.com/). In the left-hand menu, click Azure Active Directory > Enterprise applications.
    ITG_Software_Inc____Overview_-_Azure_Active_Directory_admin_center.png
  2. Click + New application at the top of the screen.
    Enterprise_applications___All_applications_-_Azure_Active_Directory_admin_center.png
  3. Click the Non-gallery application button.
    Add_an_application_-_Azure_Active_Directory_admin_center.png
  4. Give the new application a name and then click the Add button at the bottom of the screen. This will add a custom application to your Azure Active Directory.
    Add_your_own_application_-_Azure_Active_Directory_admin_center.png

    NOTE  If you do not have Azure AD Premium activated, you will not be able to enter the name of the application and an invite message to upgrade to Premium will appear.

  5. Once the application loads, click Users and groups in the left-hand menu. Click + Add user to assign users or user groups to this application.
    Happy_Frog_SSO___Users_and_groups_-_Azure_Active_Directory_admin_center.png
  6. Next, click Single sign-on in the left-hand menu and then on the SAML button.
    Happy_Frog_SSO___Single_sign-on_-_Azure_Active_Directory_admin_center.png

Configuring Azure

Basic SAML Configuration

  1. In the setup screen, click the pencil icon in the Basic SAML Configuration box.
    Happy_Frog_SSO___Single_sign-on_-_Azure_Active_Directory_admin_center-2.png
  2. Enter the following URLs in the fields provided, replacing subdomain with your subdomain:
    • Identifier (Entity ID) - Enter your IT Glue subdomain, e.g. https://subdomain.itglue.com
    • Reply URL (Assertion Consumer Service URL) - Enter https://subdomain.itglue.com/saml/consume
    • Sign on URL - Enter https://subdomain.itglue.com
    • Relay State - Skip. This is an optional parameter used to tell the application where to redirect the user after authentication is completed.
    • Logout URL - Enter a URL where IT Glue can redirect users after they log out of IT Glue.
      Note: IT Glue does not support SSO logout URLs.
      Configuring_single_sign-on__SSO__with_Azure_-_REVISION_2_-_Google_Docs.png
  3. Be sure to fill in your IT Glue subdomain where it says subdomain. Note that there's no trailing slash at the end of the URL. Click Save at the top of the form when finished.

User Attributes & Claims

  1. Return to the setup screen and click the pencil icon in the User Attributes & Claims box.
    Happy_Frog_SSO___Single_sign-on_-_Azure_Active_Directory_admin_center-3.png
  2. Click Unique User Identifier (Name ID)
    User_Attributes___Claims_-_Azure_Active_Directory_admin_center.png
  3. Enter a name and select user.mail in the Source attribute drop-down menu. Click Save at the top of the form.
    Manage_claim_-_Azure_Active_Directory_admin_center.png

SAML Signing Certificate

  1. Return to the setup screen and click the pencil icon in the SAML Signing Certificate box.
    Happy_Frog_SSO___Single_sign-on_-_Azure_Active_Directory_admin_center-4.png
  2. Enter a notification email for the certificate expiry reminders. Click Save at the top of the form.
    SAML_Signing_Certificate_-_Azure_Active_Directory_admin_center.png
  3. Back in the setup screen, click to download the Certificate (Base64) to save the certificate file on your computer and copy the Thumbprint.
    Happy_Frog_SSO___Single_sign-on_-_Azure_Active_Directory_admin_center-7.png

Setup <Your Application Name>

  1. Return to the setup screen and click the View step-by-step instructions link in the Setup <Your Application Name> box.
    Happy_Frog_SSO___Single_sign-on_-_Azure_Active_Directory_admin_center-5.png
  2. Review the documentation that will guide you through filling out the:
    • Login URL (a.k.a. SAML Single Sign-On Service URL)
    • Azure AD Identifier (a.k.a. SAML Entity ID), and
    • Logout URL (a.k.a. Sign-out URL) fields.

Test Single Sign-on with <Your Application Name>

  1. Return to the setup screen and click the Test button in the Test Single Sign-on with <Your Application Name> box to check if single sign-on is working.
    Happy_Frog_SSO___Single_sign-on_-_Azure_Active_Directory_admin_center-6.png

Leave the Azure portal open as you continue onto configuring IT Glue. You will need to refer to it frequently in the next section of this KB.

Configuring IT Glue

After setting up Azure, you need to configure your IT Glue account to authenticate using SAML. You will need a few pieces of information from Azure to complete this step.

IMPORTANT  It's highly recommended that before you begin the below set of instructions, log in to your IT Glue account twice - once in a regular browser and once in an incognito/private window. Alternatively, you can also log in to two separate browsers. This is to ensure that you are still logged in to your account in case you are locked out in the other window.

  1. Log in to IT Glue and click Account from the top navigation bar.
  2. Click Settings from the sidebar.
  3. Click the Authentication tab and then turn the Enable SAML SSO toggle switch to ON. Once this is turned on, a form will appear. You will need to collect information from Azure and enter it into this form.

    • Copy the Azure AD Identifier (a.k.a. SAML Entity ID) and paste it in the Issuer URL field. 
    • Copy the Login URL (a.k.a. SAML Single Sign-On Service URL) and paste it in the SAML Login Endpoint URL field. 
    • Copy the Logout URL (a.k.a. Sign-out URL) and paste it in the SAML Logout Endpoint URL field. 
    • Go back to the previous page of the Azure settings and copy the Thumbprint and paste it in the Fingerprint field. 
    • Open your Base64-encoded SAML Signing Certificate downloaded from Azure portal in Notepad, copy the content of it onto your clipboard, and then paste it in the Certificate field.

      IMPORTANT  Ensure there are no extra spaces trailing at the end of the Certificate string (i.e. after -----END CERTIFICATE-----).

      To  allow users to log in only with their SSO provider, enable Enable SSO Access Control option.
  4. Click Save to complete the set up of your account.

    IMPORTANT  Warning. Click Save only when all information has been entered. If you turn on SSO prematurely, it will break the login experience for all users on your account.

Once you make this change, you can test your access.

Configuring MyGlue

If you are setting up SSO for MyGlue, complete all steps as instructed in the Configuring Azure - Basic SAML Configuration  section. However, in step 2, you need to substitute different values as follows:

When you reach the Configuring IT Glue section above, navigate instead to Account > MyGlue. In the Actions drop-down menu, select Edit. Then, scroll down to the Single Sign-on section and toggle the Enable SAML SSO switch to ON. Then, complete step 3 in that section section but use the following values:

For EU partners, please use https://app.eu.myglue.com

Finally, head back to the Azure portal and navigate to Azure Active Directory > Enterprise applications. Locate and open your newly created application in the list. In the left-hand menu, click Properties. Review the User assignment required toggle options:

  • If you toggle the switch to YES, then users must first be assigned to this application before being able to access it. You will need to grant each new Azure user access to MyGlue.
  • If you toggle the switch to NO, then any users who navigate to the application deep-link URL or application URL directly will be granted access. All new Azure users created will automatically have access to MyGlue.
    MyGlue_SSO_Properties.png

Testing SSO authentication

In the above section, you should have created two IT Glue browser sessions. If you are locked out, you will be able to use the incognito/private window to turn off SSO while you investigate the cause.

To make sure SSO is working, perform these steps:

  1. Log out of and close the Azure management portal and the Azure AD access panel.
  2. In a new browser session, navigate directly to the access panel at http://myapps.microsoft.com.
  3. Enter your Azure AD credentials to log in. After authentication, you will be able to interact with the applications integrated with the directory.
  4. Click on the SSO application you created to be redirected and logged in to IT Glue.

Another way to test SSO access is to go to your account subdomain (mycompany.itglue.com) directly.

Common Questions

When the SSO server is unavailable, how do we access our accounts?

If your SSO provider's service is unavailable, you can still login using your IT Glue username and password at app.itglue.com.

If your SSO is not working, confirm your provider's service is available. Send us an email for assistance.

How do we disable SSO for a user?

To disable a user account, an Administrator or a Manager will need to navigate to the Account > Users page in IT Glue. We don’t currently support disabling user accounts through the SSO server.