Configuring single sign-on (SSO) for G Suite

For partners subscribed to Enterprise plans.

Follow these step-by-step instructions to configure SSO on your IT Glue account using Google as a SAML identity provider. This is great for partners who use Google but haven't yet implemented SSO. By using SSO with Google, you can set up basic SSO authentication without introducing a third-party service such as OneLogin.

Prerequisites

  • You must have Administrator level access to IT Glue to configure SSO on your account. 
  • Ensure your users are provisioned in the identity provider (Google), with exactly the same email address as their IT Glue account. We don’t create user accounts under SSO.
  • Before turning this feature on, sign in to IT Glue twice - once in a regular browser window and once in a incognito/private window. This is to ensure that you are still signed in to your account if you get locked out of your account in the other window.

Instructions 

Configuring Google

  1. As an administrator on your G Suite account, sign in to https://admin.google.com/.
  2. Click through to Apps > SAML Apps.

    GA_SAML_Apps.png

  3. Click the blue plus sign icon in the bottom right corner to open a dialog that will help you build a custom app step by step. 

    GA_New.png

  4. From the Enable SSO for SAML Application step (1/5), click on SETUP MY OWN CUSTOM APP

    GA_Step_One.png

  5. From the Google IdP Information step (2/5), you will find an SSO URL and Entity ID, which you will enter in IT Glue later. For now, click Download to download the certificate. You'll need information from it in a moment. Click NEXT.

    GA_Step_Two.png

  6. From the Basic information for your Custom App step (3/5), you can add a name (required), description, and logo in the fields provided to identify the app. Click NEXT.

    GA_Step_Three.png

  7. From the Service Provider Details step (4/5), enter the required information below. When you're done entering the information, click NEXT.

    ACS URL: The URL should be https://subdomain.itglue.com/saml/consume (with your IT Glue subdomain where it says subdomain)

    Entity ID: Enter https://subdomain.itglue.com (with your IT Glue subdomain where it says subdomain)

    Start URL: This is the login URL and it should also be https://subdomain.itglue.com/ (with your IT Glue subdomain where it says subdomain)

    Signed Response: Disable

    Name ID: Basic Information – Primary Email

    Name ID Format: EMAIL

    The screenshot below shows you the screen with sample URLs:

    GA_Step_Four.png

  8. Leave this window open as you configure IT Glue, but remember to click FINISH on the Attribute Mapping step (5/5) when you are done configuring SSO in IT Glue. No action is required on the Attribute Mapping step.

    GA_Step_Five.png

Getting the fingerprint

To get the fingerprint, you can use the third-party fingerprint calculator from OneLogin:

  1. Go to https://developers.onelogin.com/saml/online-tools/x509-certs/calculate-fingerprint
  2. Paste in the certificate you downloaded further above. To do this, you will need to open the certificate in a text editor to copy the certificate content.
  3. Leave the Algorithm set to sha1
  4. Click the CALCULATE FINGERPRINT button. The fingerprint looks something like: a909502dd82ae41433e6f83886b00d4277a32a7b.

Configuring IT Glue 

After setting up Google, you need to configure your IT Glue account to authenticate using SAML. You will need the fingerprint and a few pieces of information from Google to finish the configuration.

Important. It's highly recommended that before you begin these next instructions, you sign in to your IT Glue account twice - once in a regular browser window and once in a incognito/private window (or just sign in to two separate browsers).
  1. From Account > Settings, click the Authentication tab.
  2. Use the on/off button to turn on SAML SSO.
  3. Fill out the following fields:
    • Copy the Google SSO URL and paste it in the IT Glue SAML Login Endpoint URL field.
    • Copy the Google Entity ID and paste it in the IT Glue Issuer URL field.
  4. For the SAML Logout Endpoint URL, enter a URL where IT Glue can redirect users after they sign out of IT Glue. Google does not provide this URL, and this value cannot be left empty. Recommended value: https://apps.google.com/user/hub 
  5. Enter the fingerprint you created further above and also the certificate in the IT Glue Fingerprint and Certificate fields.
  6. Click Save
    Warning. Click Save only when all information has been entered. If you turn on SSO prematurely, it will break the sign-in experience for all users on your account.

Before you can test your access, you must make one more change.

Enabling the app for your domain 

When you create a SAML app, it is turned off by default. This means that for users signed in to your Google domain account, the app will not be visible to them. To turn it on, go to your Google Admin console, click App, and then click SAML Apps. Find your app and select an action from the right side of the screen:

GA_Turn_On_SSO.png

If you do not want to activate the app for everyone, you can take advantage of G Suite/Google Apps organizational units and activate the app for only a subset of users. Refer to the Google documentation for further details about creating these organizations.

Testing SSO authentication

Before you configured SSO, you should have created two IT Glue browser sessions. If you get locked out, you will be able to use the incognito/private window to turn off SSO while you investigate the cause.

For testing, sign out of Google. In a new browser session, sign in to Google again. Next, on the Google search page, click the GA_Grid_Icon.png (grid icon) to expand the apps menu and then click the More link to see additional apps. Find the app you created and click on it to sign in to IT Glue.

Another way to test SSO access is to go to your account subdomain (mycompany.itglue.com) directly.

Common Questions

When the SSO server is unavailable, how do we access our accounts?

If the SSO server you specified is unavailable for any reason while you're trying to sign in, authentication will fail. Send us an email for assistance.

How do we disable SSO for a user?

If a member has left your team, and you’d like to disable their user account, an Administrator or Manager will need to delete their account from the Account > Users page in IT Glue. We don't currently support disabling user accounts through the SSO server.

Was this article helpful?
1 out of 2 found this helpful