Configuring single sign-on (SSO) with AuthAnvil

For partners subscribed to Enterprise plans.

In this article, you'll learn how to configure SSO on your IT Glue account using AuthAnvil On-Demand (cloud). For AuthAnvil On-Premises, refer to these instructions in AuthAnvil's knowledge base.

Prerequisites

  • You must have Administrator level access to IT Glue to configure SSO on your account.
  • Ensure your users are provisioned in the identity provider (AuthAnvil), with exactly the same email address as their IT Glue account. We don’t create user accounts under SSO.
  • Before turning this feature on, sign in to IT Glue twice - once in a regular browser window and once in a incognito/private window. This is to ensure that you are still signed in to your account if you get locked out of your account in the other window.

Instructions

Configuring AuthAnvil

To configure and manage SSO, you must have a user group that you can associate with the IT Glue SSO configuration. We included instructions for creating a group. Alternatively, you may have existing groups in AuthAnvil that you can use for the IT Glue SSO integration.

  1. In AuthAnvil, navigate to Directory Manager > Groups.

    AA_DirectoryMgr_Groups.png

  2. Click the green plus sign in the bottom right corner.
    AA_New.png

  3. Enter a name for this group, such as "IT Glue Users," and then click ADD GROUP.

    AA_New_Group_Name.png

  4. To add users to the group, open the group, click the green plus sign, and then click the add users icon. Check the boxes next to the desired users and then click ADD USERS.

    AA_Add_Users.png

  5. Next, click SSO Manager on the left side of the screen.

    SSO_Manager.png

  6. Click the green plus sign in the bottom right corner. This displays the catalog icon.

    AA_New.png

  7. Click the catalog icon.

    AA_Catalog_icon.png

  8. Search for and select IT Glue from the catalog.

    AA_IT_Glue_Catalog.png

  9. On the Add new Application to the Library dialog, check the Application is Enabled box in the Application Configuration section.

    AA_Add_Enable_Application.png

  10. Change the Authentication Policy only if required.
  11. Next, click Protocol Setup and update each of the three URLs in this section, replacing domain with your IT Glue subdomain. The three URLs are labeled:
    1. Assertion Consumer Service URL
    2. Audience URI
    3. Service Entity ID (Issuer)

    AA_add_your_domain.png

  12. Click ADD APPLICATION at the bottom of the Add new Application to the Library dialog.
  13. On the next screen, click Permissions at the top of the screen an then click the Add Groups button.

    AA_Group_Access.png

  14. Select the group you created further above.

    AA_Allow_Groups.png

  15. Click SAVE CHANGES to finish the set up.
  16. Leave this window open as you configure IT Glue.

Configuring IT Glue

After setting up AuthAnvil, you need to configure your IT Glue account to authenticate using SAML. You will need a few pieces of information from AuthAnvil to complete this step.

Important. It's highly recommended that before you begin these next instructions, you sign in to your IT Glue account twice - once in a regular browser window and once in a incognito/private window (or just sign in to two separate browsers).
  1. From Account > Settings, click the Authentication tab.
  2. Use the on/off button to turn on SAML SSO.
  3. The following fields are all required for SSO to function:
    • Issuer URL: Enter the URL that uniquely identifies your SAML identity provider.
      To view this identifier:
      • From AuthAnvil > SSO Manager, open the IT Glue application.
      • Click Protocol Setup at the top of the screen.
      • The identifier is labeled Identity Issuer and looks something like https://itgluedemo.my.authanvil.com/trust
    • SAML Login Endpoint URL: Enter the SAML login endpoint URL of the SAML server. To view the URL:
      • From AuthAnvil, click Launchpad to display the IT Glue application.
      • Right-click the IT Glue logo and copy the link address, which looks something like like https://itgluedemo.my.authanvil.com/trust/launch?ApplicationId=4e32201d-1345-4d44-5f91-466565ac05hh
    • SAML Logout Endpoint URL: Enter a URL where IT Glue can redirect users after they sign out of IT Glue. AuthAnvil does not provide this URL, and this value cannot be left empty. Recommended value: https://itgluedemo.my.authanvil.com/apps
    • Fingerprint: You will need the "thumbprint" of the AuthAnvil token-signing certificate.
      To view the thumbprint:
      • From AuthAnvil > SSO Manager, open the IT Glue application.
      • Click Signing and Encryption at the top of the screen.
      • The thumbprint is displayed here and looks something like 83695A38ACD5E481CD195G87891AEF7EDCD00A48
    • Certificate: You will also need the AuthAnvil token-signing certificate from the Signing and Encryption screen. Click the Copy button to get the certificate value.
  4. Enter the information copied from AuthAnvil in the fields provided.
  5. Click Save.
    Warning. Click Save only when all information has been entered. If you turn on SSO prematurely, it will break the sign-in experience for all users on your account.

Once you make this change, you can test your access.

Testing SSO authentication

Before you configured SSO, you should have created two IT Glue browser sessions. If you get locked out, you will be able to use the incognito/private window to turn off SSO while you investigate the cause.

To make sure SSO is working, perform these steps:

  1. Sign out of and close any AuthAnvil browser sessions you have open.
  2. In a new browser session, navigate to your IT Glue account subdomain (mycompany.itglue.com) directly. This should redirect you to the identity provider.
  3. Enter your SSO credentials.

After entering your credentials, you should be redirected and signed in to IT Glue.

Note: After you test access to IT Glue, determine whether to set your authentication policy to require the use of MFA via SSO to access IT Glue, for example:

AA_Require_MFA.png

Common Questions

When the SSO server is unavailable, how do we access our accounts?

If the SSO server you specified is unavailable for any reason while you're trying to sign in, authentication will fail. Send us an email for assistance.

How do we disable SSO for a user?

If a member has left your team, and you’d like to disable their user account, an Administrator or Manager will need to delete their account from the Account > Users page in IT Glue. We don't currently support disabling user accounts through the SSO server.

Was this article helpful?
1 out of 1 found this helpful