For partners subscribed to Enterprise plans.
In this article, you'll learn how to configure SSO on your IT Glue account using Okta.
- You must have Administrator level access to IT Glue to configure SSO on your account.
- Ensure your users are provisioned in the identity provider (Okta), with exactly the same email address as their IT Glue account. We don’t create user accounts under SSO.
- Before turning this feature on, log into IT Glue twice - once in a regular browser window and once in a incognito/private window. This is to ensure that you are still logged in to your account if you get locked out of your account in the other window.
- In Okta, head to the Applications screen and then click Add Application.
- Click the Create New App button.
- In the modal, select SAML 2.0 and click Create.
- Under General Settings, give the application a name and then click Next.
- In the Configure SAML settings, fill in the following:
- Single sign on URL: Enter
https://subdomain.itglue.com/saml/consume(with your IT Glue subdomain where it says subdomain)
- Audience URI (SP Entity ID): Enter
https://subdomain.itglue.com(with your IT Glue subdomain where it says subdomain)
- Name ID format: EmailAddress
- Application username: Email
- Single sign on URL: Enter
- Click the Show Advanced Settings link to configure advanced SAML assertion settings. Configure the Signature Algorithm and SAML Issuer ID options as shown in the image below.
- Click Next.
- Under Feedback, select “I’m an Okta customer adding an internal app”, and check “This is an internal app that we have created”, and then click Finish.
- On next screen, click View Setup Instructions.
- Leave this window open as you configure IT Glue.
Getting the fingerprint
To get the fingerprint, you can use the third-party fingerprint calculator from OneLogin:
- Go to https://developers.onelogin.com/saml/online-tools/x509-certs/calculate-fingerprint.
- Paste in the certificate you downloaded further above. To do this, you will need to open the certificate in a text editor to copy the certificate content.
- Leave the Algorithm set to sha1.
- Click the CALCULATE FINGERPRINT button. The fingerprint looks something like:
Configuring IT Glue
After setting up Okta, you need to configure your IT Glue account to authenticate using SAML. You will need the fingerprint and a few pieces of information from Okta to finish the configuration.
- Click Account from the top navigation bar.
- Click Settings from the sidebar.
- Click the Authentication tab.
- Use the on/off button to turn on SAML SSO.
Important. It's highly recommended that before you begin these next instructions, you log into your IT Glue account twice - once in a regular browser window and once in a incognito/private window (or just log into two separate browsers).
- Fill out the following fields:
- Copy the Okta Identity Provider Single Sign-On URL and paste it in the IT Glue SAML Login Endpoint URL field and again in the IT Glue SAML Logout Endpoint URL field.
- Copy the Okta Identity Provider Issuer and paste it in the IT Glue Issuer URL field.
- Enter the fingerprint you created further above and also the certificate in the IT Glue Fingerprint and Certificate fields.
- Click Save.
Warning. Click Save only when all information has been entered. If you turn on SSO prematurely, it will break the login experience for all users on your account.
Once you make this change, you can test your access.
Testing SSO authentication
Before you configured SSO, you should have created two IT Glue browser sessions. If you get locked out, you will be able to use the incognito/private window to turn off SSO while you investigate the cause.
To make sure SSO is working, perform these steps:
- Log out of and close any Okta browser sessions you have open.
- In a new browser session, navigate to your IT Glue account subdomain (mycompany.itglue.com) directly. This should redirect you to the identity provider.
- Enter your SSO credentials.
After entering your credentials, you should be redirected and logged into IT Glue.
When the SSO server is unavailable, how do we access our accounts?
If the SSO server you specified is unavailable for any reason while you're trying to log in, authentication will fail. Send us an email for assistance.
Alternatively, in the event that SSO is unavailable, you can still login using your IT Glue username and password at app.itglue.com.
How do we disable SSO for a user?
To disable a user account, an Administrator or a Manager will need to navigate to the Account > Users page in IT Glue. We don’t currently support disabling user accounts through the SSO server.