For partners subscribed to Enterprise plans.
In this article, you'll learn how to configure SSO on your IT Glue account using Okta.
- You must have Administrator level access to IT Glue to configure SSO on your account.
- Ensure your users are provisioned in the identity provider (Okta), with exactly the same email address as their IT Glue account. We don’t create user accounts under SSO.
- Before turning this feature on, log in to IT Glue twice - once in a regular browser window and once in a incognito/private window. This is to ensure that you are still logged in to your account if you get locked out of your account in the other window.
- In Okta, head to the Applications screen and then click Add Application.
- Click the Create New App button.
- In the modal, select SAML 2.0 and click Create.
- Under General Settings, give the application a name and then click Next.
- In the Configure SAML settings, fill in the following:
- Single sign on URL: Enter
https://subdomain.itglue.com/saml/consume(with your IT Glue subdomain where it says subdomain)
- Audience URI (SP Entity ID): Enter
https://subdomain.itglue.com(with your IT Glue subdomain where it says subdomain)
- Name ID format: EmailAddress
- Application username: Email
- Single sign on URL: Enter
- Click the Show Advanced Settings link to configure advanced SAML assertion settings. Configure the Signature Algorithm and SAML Issuer ID options as shown in the image below.
- Click Next.
- Under Feedback, select “I’m an Okta customer adding an internal app”, and check “This is an internal app that we have created”, and then click Finish.
- On next screen, click View Setup Instructions.
- Leave this window open as you configure IT Glue.
Getting the fingerprint
To get the fingerprint, you can use the third-party fingerprint calculator from OneLogin:
- Go to https://developers.onelogin.com/saml/online-tools/x509-certs/calculate-fingerprint.
- Paste in the certificate you downloaded further above. To do this, you will need to open the certificate in a text editor to copy the certificate content.
- Leave the Algorithm set to sha1.
- Click the CALCULATE FINGERPRINT button. The fingerprint looks something like:
Configuring IT Glue
After setting up Okta, you need to configure your IT Glue account to authenticate using SAML. You will need a few pieces of information from Okta to complete this step.
- Log in to IT Glue and click Account from the top navigation bar.
- Click Settings from the sidebar.
- Click on the Authentication tab and then turn the Enable SAML SSO toggle switch to ON. Once this is turned on, a form will appear. You will need to collect information from Okta and enter it into this form.
- Copy the Okta Identify Provider Issuer and paste it into the IT Glue Issuer URL field.
- Copy the Okta Identity Provider Single Sign-On URL and paste it in the IT Glue SAML Login Endpoint URL field.
- Copy the Okta Identity Provider Single Sign-On URL and paste it in the IT Glue SAML Logout Endpoint URL field.
- Copy the fingerprint you created above and paste it into the IT Glue Fingerprint field.
- Copy the certificate and paste it into the IT Glue Certificate field.
Important. Ensure that there are no extra spaces trailing at the end of the Certificate string (i.e. after -----END CERTIFICATE-----).
Once you make this change, you can test your access.
Testing SSO authentication
Before you configured SSO, you should have created two IT Glue browser sessions. If you get locked out, you will be able to use the incognito/private window to turn off SSO while you investigate the cause.
To make sure SSO is working, perform these steps:
- Log out of and close any Okta browser sessions you have open.
- In a new browser session, navigate to your IT Glue account subdomain (mycompany.itglue.com) directly. This should redirect you to the identity provider.
- Enter your SSO credentials.
After entering your credentials, you should be redirected and logged in to IT Glue.
When the SSO server is unavailable, how do we access our accounts?
If your SSO provider's service is unavailable, you can still login using your IT Glue username and password at app.itglue.com.
If your SSO is not working, confirm your provider's service is available. Send us an email for assistance.
How do we disable SSO for a user?
To disable a user account, an Administrator or a Manager will need to navigate to the Account > Users page in IT Glue. We don’t currently support disabling user accounts through the SSO server.