Configuring single sign-on (SSO) using Centrify

For partners subscribed to Enterprise plans.

In this article, you'll learn how to configure SSO on your IT Glue account using Centrify. This integration lets your users sign in to IT Glue with the same credentials that they use to sign in to other cloud-based apps.

Prerequisites

  • You must have Administrator level access to IT Glue to configure SSO on your account.
  • Ensure your users are provisioned in the identity provider (Centrify), with exactly the same email address as their IT Glue account. We don’t create user accounts under SSO.
  • Before turning this feature on, sign in to IT Glue twice - once in a regular browser window and once in a incognito/private window. This is to ensure that you are still signed in to your account if you get locked out of your account in the other window.

Instructions

Configuring Centrify

These instructions will walk you through the steps to configure Centrify SSO. If you run into any problems, you can also refer to Centrify's documentation.

  1. From the Centrify Identity Service Console, navigate to Apps and then click Add Web Apps.

    Centrify_Add_Web_Apps.png

  2. In the Add Web Apps dialog, select the Custom tab.

    Centrify_Custom.png

  3. Find the SAML web application, click Add. Confirm your choice in the dialog box by clicking Yes. Then click Close. The application is now added.

    Centrify_SAML.png

  4. The application that you just added opens to the Application Settings page.
  5. Here, you will need to enter one URL. The Assertion Consumer Service URL will be https://subdomain.itglue.com/saml/consume, replacing subdomain with your IT Glue subdomain.

    Centrify_Application_Settings.png

  6. Click Save.
  7. Click Description from the sidebar and enter "IT Glue" as the application name.

    Centrify_Application_Name.png

  8. Specify a Category for this web application (or leave as "Other").
  9. Click User Access from the sidebar and select the role(s) that represent the users and groups that have access to the application.

    When assigning an application to a role, select either Automatic Install or Optional Install:
    - If you select Automatic Install, the IT Glue application appears automatically for users.
    - If you select Optional Install, the application doesn't automatically appear and users have the option to add the application.

    Centrify_User_Access.png

  10. Click Save.
  11. Click Account Mapping from the sidebar.
  12. Select the Use the following Directory Service field to supply the user name option and enter "mail" as the Directory Service field name.

    Centrify_Account_Mapping.png

  13. Click Save.
  14. Click Advanced from the sidebar.
  15. Delete the default script in the script field.
  16. Next, copy and paste the following into the script field, replacing subdomain with your IT Glue subdomain:

    setVersion('2');
    setIssuer(Issuer);
    setSubjectName(LoginUser.Username);
    setNameFormat('emailAddress');
    setAudience('https://subdomain.itglue.com');
    setRecipient(ServiceUrl);
    setSignatureType('Response');
    setHttpDestination(ServiceUrl);

    Centrify_Advanced.png

  17. Click Save.
  18. Click Application Settings.
  19. Leave this window open, and in a different web browser window, sign in to your IT Glue account.

Configuring IT Glue

After setting up Centrify, you need to configure your IT Glue account to authenticate using SAML. You will need a few pieces of information from Centrify to finish the configuration.

Important. It's highly recommended that before you begin these next instructions, you sign in to your IT Glue account twice - once in a regular browser window and once in a incognito/private window (or just sign in to two separate browsers).
  1. From Account > Settings, click the Authentication tab.
  2. Use the on/off button to turn on SAML SSO.
  3. Fill out the following fields with information from Application Settings in Centrify:
    • Copy the URL in the Issuer field and paste it in the IT Glue Issuer URL field.
    • Copy the Identity Provider Sign-in URL and paste it in the IT Glue SAML Login Endpoint URL field.
    • Copy the Identity Provider Sign-out URL and paste it in the IT Glue SAML Logout Endpoint URL field.
  4. Enter the Centrify thumbprint and security certificate in the IT Glue Fingerprint and Certificate fields.
    Note: the Centrify Default Tenant Application Certificate can be used, or you can upload your own base-64 encoded X.509 certificate. But be sure to upload the certificate prior to entering any Centrify URLs and the Centrify thumbprint in IT Glue.
  5. Click Save.
    Warning. Click Save only when all information has been entered. If you turn on SSO prematurely, it will break the sign-in experience for all users on your account.

Once you make this change, you can test your access.

Testing SSO authentication

Before you configured SSO, you should have created two IT Glue browser sessions. If you get locked out, you will be able to use the incognito/private window to turn off SSO while you investigate the cause.

To make sure SSO is working, perform these steps:

  1. Sign out of and close any Centrify browser sessions you have open.
  2. In a new browser session, navigate to your IT Glue account subdomain (mycompany.itglue.com) directly. This should redirect you to the identity provider.
  3. Enter your SSO credentials.

After entering your credentials, you should be redirected and signed in to IT Glue.

Note: After you test access to IT Glue, determine whether to configure rules in Centrify to require the use of MFA via SSO to access IT Glue.

Common Questions

When the SSO server is unavailable, how do we access our accounts?

If the SSO server you specified is unavailable for any reason while you're trying to sign in, authentication will fail. Send us an email for assistance.

How do we disable SSO for a user?

If a member has left your team, and you’d like to disable their user account, an Administrator or Manager will need to delete their account from the Account > Users page in IT Glue. We don't currently support disabling user accounts through the SSO server.

Was this article helpful?
0 out of 0 found this helpful