Configuring single sign-on (SSO) with Azure

For partners subscribed to Basic with SSO 2021, Select with SSO 2021, and Enterprise plans.

This article explains how to configure the SAML SSO integration of the Microsoft Entra ID portal and IT Glue.

If you are configuring SSO for MyGlue using Azure, the instructions are the same but you will need to enter different values when configuring Azure and your MyGlue account settings page. Refer to Configuring MyGlue.

Prerequisites

  • Microsoft Azure account with Microsoft Entra ID Premium activated.
  • Administrator level access to IT Glue and a Global Admin or Co-admin account in Azure.
  • All of your users under your account in IT Glue will need an account in Microsoft Entra ID with exactly the same email address. We don’t create user accounts under SSO.
  • Before turning this feature on, log in to your IT Glue account twice: once in a regular browser and once in an incognito/private window. This is to ensure that you are still logged in to your account if you get locked out in the other window. Alternatively, you can also log in to two separate browsers.

Instructions

  1. Log in to the Microsoft Azure portal.
  2. Navigate to Microsoft Entra ID.
  3. From the left navigation menu, navigate to Manage > Enterprise applications.
  4. Click New application.
  5. Click Create your own application.
  6. Enter a name for the new application.
  7. Click Create to add the custom application to Microsoft Entra ID.

    NOTE  If you do not have Microsoft Entra ID Premium activated, you will not be able to enter the name of the application and an invite message to upgrade to Premium will appear.

  8. Once the application loads, click Assign users and groups.
  9. Click Add user/group.
  10. Add users or user groups to this application as necessary, and click Assign.
  11. Next, from the left navigation menu, click Single sign-on.
  12. Click the SAML tile.

Configuring Azure

Basic SAML Configuration

  1. In the Basic SAML Configuration tile, click the Edit pencil icon.

  2. Fill in the following fields, replacing [subdomain] with your own IT Glue subdomain:
    • Identifier (Entity ID):
      1. Click Add identifier.
      2. Enter your IT Glue subdomain (as it appears in [subdomain].itglue.com).
    • Reply URL (Assertion Consumer Service URL):
      1. Click Add reply URL.
      2. Enter https://[subdomain].itglue.com/saml/consume.
    • Sign on URL: Enter https://subdomain.itglue.com
    • Relay State: This is an optional parameter used to tell the application where to redirect the user after authentication is completed, which you can leave blank.
    • Logout URL: Enter a URL to which IT Glue can redirect users after they log out of IT Glue.
  3. NOTE  IT Glue does not support SSO logout URLs.

  4. Click Save at the top of the pane when finished.

Attributes & Claims

  1. In the Attributes & Claims tile, click the Edit pencil icon.

  2. Click Unique User Identifier (Name ID).

  3. Fill in the required fields.
  4. From the Source attribute drop-down menu, select user.mail.
  5. Click Save at the top of the page.

SAML Certificates

  1. In the SAML Certificates tile, click the Edit pencil icon.

  2. In the Notification Email Addresses section, enter a notification email for the certificate expiry reminders.
  3. Click Save at the top of the page.
  4. Back on the setup page, next to Certificate (Base64), click Download to download the certificate file to the default download location on your device.
  5. Copy and securely store the Thumbprint.

Set up [Application Name]

In the Set up [Application Name] tile, copy and securely store the login URL, Microsoft Entra identifier, and logout URL.

Test single sign-on with [Application Name]

  1. In the Test single sign-on with [Application Name] tile, click Test to check if single sign-on is working.

Leave the Azure portal open as you continue onto configuring IT Glue. You will need to refer to it frequently in the next section of this article.

Configuring IT Glue

After completing the preceding configuration steps in Azure, you need to configure your IT Glue account to authenticate using SAML. You will need a few pieces of information from Azure to complete this step.

IMPORTANT  It's highly recommended that before you begin the subsequent set of instructions, log in to your IT Glue account twice: once in a regular browser and once in an incognito/private window. Alternatively, you can also log in to two separate browsers. This is to ensure that you are still logged in to your account in case you are locked out in the other window.

  1. From the top navigation menu in IT Glue, click Admin.
  2. On the Settings page, click the Authentication tab.
  3. Turn on the Enable SAML SSO toggle. Once this is turned on, a form will appear. You will need to collect information from Azure and enter it into this form.

    • Copy the Microsoft Entra ID Identifier (a.k.a. SAML Entity ID) and paste it in the Issuer URL field. 
    • Copy the Login URL (a.k.a. SAML Single Sign-On Service URL) and paste it in the SAML Login Endpoint URL field. 
    • Copy the Logout URL (a.k.a. Sign-out URL) and paste it in the SAML Logout Endpoint URL field. 
    • Go back to the previous page of the Azure settings and copy the Thumbprint and paste it in the Fingerprint field. 
    • Open your Base64-encoded SAML Signing Certificate downloaded from Azure portal in Notepad, copy the content of it onto your clipboard, and then paste it in the Certificate field.

      IMPORTANT  Ensure there are no extra spaces trailing at the end of the Certificate string (i.e. after -----END CERTIFICATE-----).

      To  allow users to log in only with their SSO provider, enable Enable SSO Access Control option.
  4. Click Save to complete the set up of your account.

    IMPORTANT  Click Save only when all information has been entered. If you turn on SSO prematurely, it will break the login experience for all users on your account.

Once you make this change, you can test your access.

Configuring MyGlue

If you are setting up SSO for MyGlue, complete all steps as instructed in Configuring your MyGlue account for SSO. However, in step 2, you need to substitute different values as follows:

  • Identifier (Entity ID): https://app.myglue.com
  • Reply URL (Assertion Consumer Service URL): https://app.myglue.com/saml/consume
  • Sign on URL: https://app.myglue.com
  • Logout URL: https://app.myglue.com/logout (EU partners: https://app.eu.myglue.com)

When you reach the Configuring IT Glue section above, navigate instead to Account > MyGlue. In the Actions drop-down menu, select Edit. Then, scroll down to the Single Sign-on section and toggle the Enable SAML SSO switch to ON. Then, complete step 3 in that section section but use the following values:

For EU partners, please use https://app.eu.myglue.com

Finally, head back to the Azure portal and navigate to Microsoft Entra ID > Enterprise applications. Locate and open your newly created application in the list. In the left-hand menu, click Properties. Review the User assignment required toggle options:

  • If you toggle the switch to YES, then users must first be assigned to this application before being able to access it. You will need to grant each new Azure user access to MyGlue.
  • If you toggle the switch to NO, then any users who navigate to the application deep-link URL or application URL directly will be granted access. All new Azure users created will automatically have access to MyGlue.
    MyGlue_SSO_Properties.png

Testing SSO authentication

In the above section, you should have created two IT Glue browser sessions. If you are locked out, you will be able to use the incognito/private window to turn off SSO while you investigate the cause.

To make sure SSO is working, perform these steps:

  1. Log out of and close the Azure management portal and the Microsoft Entra ID access panel.
  2. In a new browser session, navigate directly to the access panel at myapps.microsoft.com.
  3. Enter your Microsoft Entra ID credentials to log in. After authentication, you will be able to interact with the applications integrated with the directory.
  4. Click on the SSO application you created to be redirected and logged in to IT Glue.

Another way to test SSO access is to go to your account subdomain ([subdomain].itglue.com) directly.

FAQ

QUESTION  When the SSO server is unavailable, how do we access our accounts?

ANSWER  If your SSO provider's service is unavailable, you can still log in using your IT Glue username and password at app.itglue.com.

If your SSO is not working, confirm your provider's service is available. Send us an email for assistance.

QUESTION  How do we disable SSO for a user?

ANSWER  To disable a user account, an Administrator or Manager user can navigate to the Users page in IT Glue.

IT Glue does not currently support disabling user accounts through the SSO server.