This article explains how to configure the SAML SSO integration of the new Azure AD portal and IT Glue. These instructions apply to the newer Azure portal interface.
If you are configuring SSO for MyGlue using Azure, the instructions are the same but you will need to enter different values when configuring Azure and your MyGlue account settings page. Click here to see the different values that you'll need to substitute in at key steps within this KB article.
- Microsoft Azure account with Azure AD Premium activated.
- Administrator level access to IT Glue and a Global Admin or Co-admin account in Azure.
- All of your users under your account in IT Glue will need an account in Azure Active Directory with exactly the same email address. We don’t create user accounts under SSO.
- Before turning this feature on, log in to your IT Glue account twice - once in a regular browser and once in an incognito/private window. This is to ensure that you are still logged in to your account if you get locked out in the other window. Alternatively, you can also log in to two separate browsers.
- Log in to the Azure portal (https://portal.azure.com/). In the left-hand menu, click Azure Active Directory > Enterprise applications.
- Click + New application at the top of the screen.
- Click the Non-gallery application button.
- Give the new application a name and then click the Add button at the bottom of the screen. This will add a custom application to your Azure Active Directory.
Note: If you do not have Azure AD Premium activated, you will not be able to enter the name of the application and an invite message to upgrade to Premium will appear.
- Once the application loads, click Users and groups in the left-hand menu. Click + Add user to assign users or user groups to this application.
- Next, click Single sign-on in the left-hand menu and then on the SAML button.
Basic SAML Configuration
- In the setup screen, click the pencil icon in the Basic SAML Configuration box.
- Enter the following URLs in the fields provided, replacing subdomain with your subdomain:
- Identifier (Entity ID) - Enter your IT Glue subdomain, e.g. https://subdomain.itglue.com
- Reply URL (Assertion Consumer Service URL) - Enter https://subdomain.itglue.com/saml/consume
- Sign on URL - Enter https://subdomain.itglue.com
- Relay State - Skip. This is an optional parameter used to tell the application where to redirect the user after authentication is completed.
- Logout URL - Enter a URL where IT Glue can redirect users after they log out of IT Glue.
- Be sure to fill in your IT Glue subdomain where it says subdomain. Note that there's no trailing slash at the end of the URL. Click Save at the top of the form when finished.
User Attributes & Claims
- Return to the setup screen and click the pencil icon in the User Attributes & Claims box.
- Click Unique User Identifier (Name ID).
- Enter a name and select user.mail in the Source attribute drop-down menu. Click Save at the top of the form.
SAML Signing Certificate
- Return to the setup screen and click the pencil icon in the SAML Signing Certificate box.
- Enter a notification email for the certificate expiry reminders. Click Save at the top of the form.
- Back in the setup screen, click to download the Certificate (Base64) to save the certificate file on your computer and copy the Thumbprint.
Setup <Your Application Name>
- Return to the setup screen and click the View step-by-step instructions link in the Setup <Your Application Name> box.
- Review the documentation that will guide you through filling out the:
- Login URL (a.k.a. SAML Single Sign-On Service URL)
- Azure AD Identifier (a.k.a. SAML Entity ID), and
- Logout URL (a.k.a. Sign-out URL) fields.
Test Single Sign-on with <Your Application Name>
- Return to the setup screen and click the Test button in the Test Single Sign-on with <Your Application Name> box to check if single sign-on is working.
Leave the Azure portal open as you continue onto configuring IT Glue. You will need to refer to it frequently in the next section of this KB.
Configuring IT Glue
After setting up Azure, you need to configure your IT Glue account to authenticate using SAML. You will need a few pieces of information from Azure to complete this step.
- Log in to IT Glue and click Account from the top navigation bar.
- Click Settings from the sidebar.
- Click the Authentication tab and then turn the Enable SAML SSO toggle switch to ON. Once this is turned on, a form will appear. You will need to collect information from Azure and enter it into this form.
- Copy the Azure AD Identifier (a.k.a. SAML Entity ID) and paste it in the IT Glue Issuer URL field.
- Copy the Login URL (a.k.a. SAML Single Sign-On Service URL) and paste it in the IT Glue SAML Login Endpoint URL field.
- Copy the Logout URL (a.k.a. Sign-out URL) and paste it in the IT Glue SAML Logout Endpoint URL field.
- Go back to the previous page of the Azure settings and copy the Thumbprint and paste it in the IT Glue Fingerprint field.
- Open your Base64-encoded SAML Signing Certificate downloaded from Azure portal in Notepad, copy the content of it onto your clipboard, and then paste it in the IT Glue Certificate field.
Important. Ensure there are no extra spaces trailing at the end of the Certificate string (i.e. after -----END CERTIFICATE-----).
- Click Save to complete the set up of your account.
Warning. Click Save only when all information has been entered. If you turn on SSO prematurely, it will break the login experience for all users on your account.
Once you make this change, you can test your access.
If you are setting up SSO for MyGlue, complete all steps as instructed in this article. However, there are a few key steps in which you'll need to substitute in different values:
Complete step 2 in the Configuring Azure - Basic SAML Configuration section but use the following values instead:
- Identifier (Entity ID) - https://app.myglue.com
- Reply URL (Assertion Consumer Service URL) - https://app.myglue.com/saml/consume
- Sign on URL - https://app.myglue.com
- Logout URL - https://app.myglue.com/logout (for EU partners, use https://app.eu.myglue.com)
Testing SSO authentication
In the above section, you should have created two IT Glue browser sessions. If you are locked out, you will be able to use the incognito/private window to turn off SSO while you investigate the cause.
To make sure SSO is working, perform these steps:
- Log out of and close the Azure management portal and the Azure AD access panel.
- In a new browser session, navigate directly to the access panel at http://myapps.microsoft.com.
- Enter your Azure AD credentials to log in. After authentication, you will be able to interact with the applications integrated with the directory.
- Click on the SSO application you created to be redirected and logged in to IT Glue.
Another way to test SSO access is to go to your account subdomain (mycompany.itglue.com) directly.
When the SSO server is unavailable, how do we access our accounts?
If your SSO provider's service is unavailable, you can still login using your IT Glue username and password at app.itglue.com.
If your SSO is not working, confirm your provider's service is available. Send us an email for assistance.
How do we disable SSO for a user?
To disable a user account, an Administrator or a Manager will need to navigate to the Account > Users page in IT Glue. We don’t currently support disabling user accounts through the SSO server.