Configuring single sign-on (SSO) with Okta

For partners subscribed to Enterprise plans.

In this article, you'll learn how to configure SSO on your IT Glue account using Okta.

Prerequisites

  • You must have Administrator level access to IT Glue to configure SSO on your account.
  • Ensure your users are provisioned in the identity provider (Okta), with exactly the same email address as their IT Glue account. We don’t create user accounts under SSO.
  • Before turning this feature on, log into IT Glue twice - once in a regular browser window and once in a incognito/private window. This is to ensure that you are still logged in to your account if you get locked out of your account in the other window.

Instructions

Configuring Okta

  1. In Okta, head to the Applications screen and then click Add Application.

    Okta_Add_Application.png
  2. Click the Create New App button.

    Okta_Create_New_App.png
  3. In the modal, select SAML 2.0 and click Create.

    Okta_Create_New_Integration.png
  4. Under General Settings, give the application a name and then click Next.

    Okta_General_Settings.png
  5. In the Configure SAML settings, fill in the following:

    Okta_Configure_SAML.png

    • Single sign on URL: Enter https://subdomain.itglue.com/saml/consume (with your IT Glue subdomain where it says subdomain)
    • Audience URI (SP Entity ID): Enter https://subdomain.itglue.com (with your IT Glue subdomain where it says subdomain)
    • Name ID format: EmailAddress
    • Application username: Email
  6. Click the Show Advanced Settings link to configure advanced SAML assertion settings. Configure the Signature Algorithm and SAML Issuer ID options as shown in the image below.

    Okta_Advanced_Settings.png
  7. Click Next.
  8. Under Feedback, select “I’m an Okta customer adding an internal app”, and check “This is an internal app that we have created”, and then click Finish.

    Okta_Feedback.png
  9. On next screen, click View Setup Instructions.

    Okta_View_Setup_Instructions.png
  10. Leave this window open as you configure IT Glue.

    Okta_How_to_Configure.png

Getting the fingerprint

To get the fingerprint, you can use the third-party fingerprint calculator from OneLogin:

  1. Go to https://developers.onelogin.com/saml/online-tools/x509-certs/calculate-fingerprint.
  2. Paste in the certificate you downloaded further above. To do this, you will need to open the certificate in a text editor to copy the certificate content.
  3. Leave the Algorithm set to sha1.
  4. Click the CALCULATE FINGERPRINT button. The fingerprint looks something like:
    a909502dd82ae41433e6f83886b00d4277a32a7b

Configuring IT Glue

After setting up Okta, you need to configure your IT Glue account to authenticate using SAML. You will need a few pieces of information from Okta to complete this step.

Important. It's highly recommended that before you begin the below set of instructions, log into your IT Glue account twice - once in a regular browser and once in an incognito/private window. Alternatively, you can also log into two separate browsers. This is to ensure that you are still logged into your account in case you are locked out in the other window.
  1. Log into IT Glue and click Account from the top navigation bar.
  2. Click Settings from the sidebar.

    Account_Settings___IT_Glue_copy.png
  3. Click on the Authentication tab and then turn the Enable SAML SSO toggle switch to ON. Once this is turned on, a form will appear. You will need to collect information from Okta and enter it into this form.

    Untitled-2_copy.png
    • Copy the Okta Identify Provider Issuer and paste it into the IT Glue Issuer URL field.
    • Copy the Okta Identity Provider Single Sign-On URL and paste it in the IT Glue SAML Login Endpoint URL field.
    • Copy the Okta Identity Provider Single Sign-On URL and paste it in the IT Glue SAML Logout Endpoint URL field.
    • Copy the fingerprint you created above and paste it into the IT Glue Fingerprint field.
    • Copy the certificate and paste it into the IT Glue Certificate field.
      Important. Ensure that there are no extra spaces trailing at the end of the Certificate string (i.e. after -----END CERTIFICATE-----).
  4. Click Save.
    Warning. Click Save only when all information has been entered. If you turn on SSO prematurely, it will break the login experience for all users on your account.

Once you make this change, you can test your access.

Testing SSO authentication

Before you configured SSO, you should have created two IT Glue browser sessions. If you get locked out, you will be able to use the incognito/private window to turn off SSO while you investigate the cause.

To make sure SSO is working, perform these steps:

  1. Log out of and close any Okta browser sessions you have open.
  2. In a new browser session, navigate to your IT Glue account subdomain (mycompany.itglue.com) directly. This should redirect you to the identity provider.
  3. Enter your SSO credentials.

After entering your credentials, you should be redirected and logged into IT Glue.

Common Questions

When the SSO server is unavailable, how do we access our accounts?

If your SSO provider's service is unavailable, you can still login using your IT Glue username and password at app.itglue.com.

If your SSO is not working, confirm your provider's service is available. Send us an email for assistance.

How do we disable SSO for a user?

To disable a user account, an Administrator or a Manager will need to navigate to the Account > Users page in IT Glue. We don’t currently support disabling user accounts through the SSO server.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us