For partners subscribed to Enterprise plans.
This topic provides an overview of the SAML (Security Assertion Markup Language) SSO option in your account settings.
To configure SAML settings for SSO, you need an identity provider that supports SAML 2.0. This widely supported protocol enables web-based authentication scenarios including cross-domain SSO and federated authentication between SaaS applications, like IT Glue, and on-premise directory systems, such as Active Directory. The key to this feature is the intermediary SAML SSO server – also known as the identity provider.
How it works: Authentication to your subdomain (mycompany.itglue.com) is handled by your identity provider. Whenever IT Glue or one of your other apps or sites wants to authenticate you via SSO, they'll redirect you to the identity provider. If you are not signed in, you can sign in using your SSO credentials. But if you're already signed in, you won't need to sign in again. You are immediately redirected back to IT Glue with the necessary authentication token. This token is used to verify that you are authenticated with the identity provider.
Start by signing in to IT Glue as an Administrator and navigating to the SSO configuration settings of the identity provider, so that you can configure the two simultaneously.
We also suggest that you sign in to your IT Glue account again in an incognito/private window. This second window will be your backout plan if you make a mistake and need to quickly turn off SSO.
Each of your users will need to be provisioned in the identity provider, with exactly the same email address as their IT Glue user account, since that is how IT Glue will identify them.
After configuring SSO in your identity provider, you'll return to IT Glue, navigate to Account > Settings > Authentication, enable SAML SSO, and paste the following identity provider data into IT Glue.
- Issuer URL - the URL that uniquely identifies your SAML identity provider. Also called: Issuer, Identity Provider, Entity ID, IdP, IdP Metadata URL.
- SAML Login Endpoint URL - the SAML login endpoint URL of the SAML server. IT Glue redirects to this URL for SSO if a session isn't already established. Also called: Sign-on URL, Remote login URL, SSO URL, SSO Endpoint, SAML 2.0 URL, Identity Provider Sign-in URL, IdP Login URL, Single Sign-On Service URL.
- SAML Logout Endpoint URL - a URL where IT Glue can redirect users after they sign out of IT Glue. Also called: SLO Endpoint, SAML Logout URL, Trusted URL, Identity Provider Sign-out URL, Single Sign-Out Service URL.
- Fingerprint - the appropriate value based on the information provided by your identity provider. Also called: Thumbprint.
- Certificate - the authentication certificate issued by your identity provider (a base-64 encoded X.509 certificate). Be sure to include the entire certificate, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE------. Also called: Public Certificate, X.509 Certificate.
After that's done, you should now have a working SSO implementation for IT Glue, which you can test by going to your subdomain (mycompany.itglue.com) in a new browser session. Note: Before you configured SSO, you should have created two IT Glue browser sessions. If you get locked out, you will be able to use the incognito/private window to turn off SSO while you investigate the cause.
This process and the information asked for should be common to all identity providers.
However, if you use one of the identity providers listed below, we have written separate articles that explain how to configure and test your SAML SSO settings that you should read instead: