Introduction
If you're the Administrator on an Enterprise plan, you can let team members access IT Glue by logging in to a central identity provider. Single sign-on (SSO) provides an easy way to access multiple websites or applications using a single account.
To configure SAML settings for SSO, you need an identity provider that supports SAML 2.0. This widely supported protocol enables web-based authentication scenarios including cross-domain SSO and federated authentication between SaaS applications, like IT Glue, and on-premise directory systems, such as Active Directory. The key to this feature is the intermediary SAML SSO server – also known as the identity provider.
How it works
Authentication to your subdomain (mycompany.itglue.com) is handled by your identity provider. Whenever IT Glue or one of your other apps or sites wants to authenticate you via SSO, they'll redirect you to the identity provider. If you are not logged in, you can log in using your SSO credentials. But if you're already logged in, you won't need to log in again. You are immediately redirected back to IT Glue with the necessary authentication token. This token is used to verify that you are authenticated with the identity provider.
Get Started
Start by logging in to IT Glue as an Administrator and navigating to the SSO configuration settings of the identity provider, so that you can configure the two simultaneously. Each of your users will need to be provisioned in the identity provider, with exactly the same email address as their IT Glue user account, since that is how IT Glue will identify them.
After configuring SSO in your identity provider, return to IT Glue, navigate to Account > Settings > Authentication, enable SAML SSO, and paste the following identity provider data into IT Glue.
- Issuer URL - The URL that uniquely identifies your SAML identity provider. Also called: Issuer, Identity Provider, Entity ID, IdP, IdP Metadata URL.
- SAML Login Endpoint URL - The SAML login endpoint URL of the SAML server. IT Glue redirects to this URL for SSO if a session isn't already established. Also called: Sign-on URL, Remote login URL, SSO URL, SSO Endpoint, SAML 2.0 URL, Identity Provider Sign-in URL, IdP Login URL, Single Sign-On Service URL.
- SAML Logout Endpoint URL - A URL where IT Glue can redirect users after they sign out of IT Glue. Also called: SLO Endpoint, SAML Logout URL, Trusted URL, Identity Provider Sign-out URL, Single Sign-Out Service URL.
- Fingerprint - The appropriate value is based on the information provided by your identity provider. Also called: Thumbprint.
- Certificate - The authentication certificate issued by your identity provider (a base-64 encoded X.509 certificate). Be sure to include the entire certificate, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE------. Also called: Public Certificate, X.509 Certificate.
You should now have a working SSO implementation for IT Glue which you can test by going to your subdomain (mycompany.itglue.com) in a new browser session. This process and the information asked for should be common to all identity providers.
Related Items
If you use one of the identity providers listed below, we have written separate articles that explain how to configure and test your SAML SSO settings that you should read instead: