For partners subscribed to Enterprise plans.
This article explains how to configure the SAML SSO integration of the new Azure AD portal and IT Glue. These instructions apply to the newer Azure portal interface. Learn how to configure SAML SSO for the Azure classic portal in this article.
- Microsoft Azure account with Azure AD Premium activated.
- Administrator level access to IT Glue and a Global Admin or Co-admin account in Azure.
- All of your users under your account in IT Glue will need an account in Azure Active Directory, with exactly the same email address. We don’t create user accounts under SSO.
- Before you begin, log into your IT Glue account twice - once in a regular browser window and once in a incognito/private window. This is to ensure that you are still logged into your account just in case you get locked out of your account in the other window.
- In the Azure portal (https://portal.azure.com/), click More services > at the bottom of the main left-hand navigation menu.
- Use the Filter field to search for and select Azure Active Directory. (Optional: Star Azure Active Directory to add it to the main left-hand navigation menu.)
- From the Azure Active Directory left-hand navigation menu, click Enterprise applications.
- With Enterprise applications selected, click + New application at the top of the screen.
- Next, click Non-gallery application in the Add your own app section.
- Give the new application a name and then click the Add button at the bottom of the screen. This will add a custom application to your Azure Active Directory.
Note: If you do not have Azure AD Premium activated, you will not be able to enter the name of the application and a corresponding error message will appear.
- Once the application loads, select Users and groups in the sidebar menu. At the top of the screen, click + Add user to assign users or user groups to this application.
- Next, click Single sign-on from the application’s left-hand navigation menu.
- In the sidebar menu, select SAML-based Sign-on in the Single Sign-on Mode dropdown.
- Select the Show advanced URL settings checkbox and enter the following URLs in the fields provided (replacing subdomain with your subdomain):
- Identifier: Enter your IT Glue subdomain, e.g. https://subdomain.itglue.com
- Reply URL: Enter
- Sign on URL: Enter
- Relay State: Skip. It's an optional parameter that is used to tell the application where to redirect the user after authentication is completed.
Be sure to fill in your IT Glue subdomain where it says subdomain. Note that there's no trailing slash at the end of the URL.
- Select user.mail. as the User Identifier.
- In the SAML Signing Certificate section, download the Certificate (Base 64) to save the certificate file on your computer. Ensure that you have an active certificate by selecting the Make new certificate active checkbox and/or clicking Create new certificate if necessary.
- Enter a notification email for the certificate expiry reminders.
- Click the Save button at the top of the screen.
- Click Configure <application name> to access the fly-out menu with the other information you need to set up the IT Glue side.
- Leave the Azure portal open, and in a different web browser window, log into your IT Glue account.
Configuring IT Glue
After setting up Azure, you need to configure your IT Glue account to authenticate using SAML. You will need the certificate and a few pieces of information from Azure to finish the configuration.
- Click Account from the top navigation bar.
- Click Settings from the sidebar.
- Click the Authentication tab.
- Use the on/off button to turn on SAML SSO.
Important. It's highly recommended that before you begin these next instructions, you log into your IT Glue account twice - once in a regular browser window and once in a incognito/private window (or just log into two separate browsers).
- Copy and paste the following information from Azure to IT Glue:
- Copy the Azure AD Identifier and paste it in the IT Glue Issuer URL field.
- Copy the SAML Single Sign-On Service URL and paste it in the IT Glue SAML Login Endpoint URL field.
- Copy the Sign-Out URL and paste it in the IT Glue SAML Logout Endpoint URL field.
Once you make this change, you can test your access.
Testing SSO authentication
Before you configured SSO, you should have created two IT Glue browser sessions. If you get locked out, you will be able to use the incognito/private window to turn off SSO while you investigate the cause.
To make sure SSO is working, perform these steps:
- Log out of and close the Azure management portal and the Azure AD access panel.
- In a new browser session, navigate directly to the access panel at http://myapps.microsoft.com.
- Enter your Azure AD credentials to log in. After authentication, you will be able to interact with the applications integrated with the directory.
- Click on the IT Glue SSO application you created to be redirected and logged into IT Glue.
Another way to test SSO access is to go to your account subdomain (mycompany.itglue.com) directly.
When the SSO server is unavailable, how do we access our accounts?
If the SSO server you specified is unavailable for any reason while you're trying to log in, authentication will fail. Send us an email for assistance.
Alternatively, in the event that SSO is unavailable, you can still login using your IT Glue username and password at app.itglue.com.
How do we disable SSO for a user?
To disable a user account, an Administrator or a Manager will need to navigate to the Account > Users page in IT Glue. We don’t currently support disabling user accounts through the SSO server.