Configuring single sign-on (SSO) with AuthAnvil

For partners subscribed to Enterprise plans.

In this article, you'll learn how to configure single sign-on (SSO) on your IT Glue account using AuthAnvil On-Demand (cloud). For AuthAnvil On-Premises, refer to these instructions in AuthAnvil's knowledge base.

Prerequisites

  • You must have Administrator level access to IT Glue to configure SSO on your account.
  • Ensure your users are provisioned in the identity provider (AuthAnvil), with exactly the same email address as their IT Glue account. We don’t create user accounts under SSO.
  • Before turning this feature on, log into IT Glue twice - once in a regular browser window and once in a incognito/private window. This is to ensure that you are still logged into your account if you get locked out of your account in the other window.
  • Ensure that the users and groups have been created within IT Glue before starting the instructions for setting up SSO with AuthAnvil.

Instructions

Configuring AuthAnvil

To configure and manage SSO, you must have a user group that you can associate with the IT Glue SSO configuration. Follow the below instructions to create a group. Alternatively, you may have existing groups in AuthAnvil that you can use for the IT Glue SSO integration.

  1. Log into AuthAnvil and navigate to Directory Manager > Groups.

    AA_DirectoryMgr_Groups.png
  2. Click the green plus sign in the bottom-right corner. A Create New Group column will appear.

    AA_New.png
  3. Enter a name for your new group and then click Add Group at the bottom of the column.

    AA_New_Group_Name.png
  4. To add users to the group, click the vertical ellipsis beside the newly created group in the main screen and then click Edit.

    AuthAnvil-12.png
  5. Click on the green plus sign at the bottom-right corner and then on the Add Users icon. Click the checkbox next to the desired user(s) and then click Add Users.

    AA_Add_Users.png
  6. Click on SSO Manager on the left side of the screen.

    SSO_Manager.png
  7. Click the green plus sign at the bottom-right corner and then on the Catalogue button. Clicking the Catalogue button will open an Add new Application to the Library window.

    AuthAnvil-8.png
  8. Search for and select IT Glue from the catalogue.

    AA_IT_Glue_Catalog.png
  9. In the Add new Application to the Library window, click the Application is Enabled checkbox.

    AuthAnvil-9.png
  10. Next, click Protocol Setup at the top of the screen and update the following three fields in this section by replacing domain with your IT Glue subdomain.
    1. Assertion Consumer Service URL
    2. Audience URL
      1. Click on Edit and then on Save Changes to adjust the URI.
    3. Service Entity ID (Issuer)
  11. Make sure that the Allow Multiple Audiences checkbox is checked.
    AuthAnvil-11.png
  12. Click Add Application at the bottom-right of the screen.
  13. Now that you have added the application, click Permissions at the top of the screen and then click the Add Groups button.

    AA_Group_Access.png
  14. Select the group(s) you created in Step 3 above and click Add Groups.

    AA_Allow_Groups.png
  15. Click Save Changes button to finish the setup.

Leave the AuthAnvil window open as you continue on to configuring IT Glue. You will need to refer to it frequently in the next section of this KB.

Configuring IT Glue

After setting up AuthAnvil, you need to configure your IT Glue account to authenticate using SAML. You will need a few pieces of information from AuthAnvil to complete this step.

Important. It's highly recommended that before you begin the below set of instructions, log into your IT Glue account twice - once in a regular browser and once in an incognito/private window. Alternatively, you can also log into two separate browsers. This is to ensure that you are still logged into your account in case you are locked out in the other window.
  1. Log into IT Glue and click Account from the top navigation bar.
  2. Click Settings in the sidebar.

    Account_Settings___IT_Glue_copy.png
  3. Click on the Authentication tab and then turn the Enable SAML SSO toggle switch to ON. Once this is turned on, a form will appear. You will need to collect information from AuthAnvil and enter it into this form.

    Untitled-2.png
    1. Issuer URL:
      • Navigate to AuthAnvil > SSO Manager and open the IT Glue application.
      • Click Protocol Setup at the top of the screen.
      • Copy the Identify Issuer and paste it into the Issuer URL field in IT Glue.
    2. SAML Login Endpoint URL:
      • Navigate to AuthAnvil > Launchpad.
      • Right-click on the IT Glue text in the logo and click Copy Link Address.
      • Paste the link into the SAML Login Endpoint URL field in IT Glue. Screen_Shot_2019-04-23_at_9.52.53_AM.png
    3. SAML Logout Endpoint URL:
      • Enter a URL where IT Glue can redirect users after they log out of IT Glue. AuthAnvil does not provide this URL and this value cannot be left empty.
      • A recommended value would look something like: https://itgluetest.my.authanvil.com/apps
    4. Fingerprint:
      • Navigate to AuthAnvil > SSO Manager and open the IT Glue application.
      • Click Signing and Encryption at the top of the screen.
      • Copy and paste the thumbprint into the Fingerprint field in IT Glue.
    5. Certificate:
      • Navigate to AuthAnvil > SSO Manager and open the IT Glue application.
      • Click Signing and Encryption at the top of the screen.
      • Click the < > Copy button to get the certificate value.
      • Paste the certificate into the Certificate field in IT Glue.  
Important. Ensure there are no extra spaces trailing at the end of the Certificate string (i.e. after -----END CERTIFICATE-----).

AuthAnvil-5-2.png

  1. Once all information from Step 3 is copied from AuthAnvil and pasted into the SAML SSO from in IT Glue, click Save.

Account_Settings___IT_Glue-2-2.png

Warning. Click Save only when all information has been entered. If you turn on SSO prematurely, it will break the login experience for all users on your account.

Testing SSO authentication

Before you configured SSO, you should have logged into IT Glue in two separate browser sessions. If you get locked out, you will be able to use the incognito/private window to turn off SSO and investigate the cause.

To make sure SSO is working, perform these steps:

  1. Log out of and close any AuthAnvil browser sessions you have open.
  2. Open a new browser session and navigate to your IT Glue account subdomain (mycompany.itglue.com) directly. This will redirect you to the identity provider.
  3. Enter your SSO credentials.

After entering your credentials, you should be redirected and logged into IT Glue.

Setting your authentication policy

Finally, determine whether to set your authentication policy to require the user of MFA via SSO to access IT Glue.

  1. In AuthAnvil, click on Policy Manager on the left side of the screen and then on Default Auth Policy.

AuthAnvil-6-2.png

  1. In the next screen, make the required changes to your authentication policy by clicking on the + Add Additional Rule button in the top-right corner. An example would look like:

AuthAnvil-10-2.png

  1. Click on Save Changes.

Common Questions

When the SSO server is unavailable, how do we access our accounts?

If your SSO provider's service is unavailable, you can still login using your IT Glue username and password at app.itglue.com.

If your SSO is not working, confirm your provider's service is available. Send us an email for assistance.

How do we disable SSO for a user?

To disable a user account, an Administrator or a Manager will need to navigate to the Account > Users page in IT Glue. We don’t currently support disabling user accounts through the SSO server.

Was this article helpful?
2 out of 2 found this helpful
Have more questions? Contact us