Ask the Community
Groups
Configuring single sign-on (SSO) with ADFS - Connect IT Community | Kaseya
<main> <article class="userContent"> <p> </p> <p>This article explains how to configure the SSO integration of a self-hosted Active Directory Federation Services (ADFS) server and IT Glue.</p> <div> <p>If you are configuring SSO for MyGlue using ADFS, the instructions are the same but you will need to enter different values when configuring ADFS and your MyGlue account settings page. Click <a rel="nofollow" href="#myglue">here</a> to see the different values that you'll need to substitute in at key steps within this KB article.</p> </div> <p>ADFS is a service provided by Microsoft as a standard role for Windows Server that provides a web login using existing Active Directory credentials. Installing ADFS is beyond the scope of this topic, but is detailed in a <a rel="nofollow" href="/home/leaving?allowTrusted=1&target=http%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fgg188612.aspx">Microsoft KB article</a>. For further help, refer to the main <a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.vanillacommunities.com%2Fkb%2Farticles%2Faliases%2Fitglue%2Fhc%2Fen-us%2Farticles%2F360004934017">SAML topic</a>. Also, for ADFS-based SSO, it's recommended to always check the ADFS logs in the Windows Event Viewer to locate error details.</p> <p>Prerequisites</p> <ul><li>You must have Administrator level access to IT Glue to configure SSO on your account.</li> <li>An Active Directory instance where all of your users under your account in IT Glue have an account, with exactly the same email address. We don’t create user accounts under SSO.</li> <li>A server running Microsoft Server 2012 or 2008. </li> <li>An SSL certificate to sign your ADFS login page and the fingerprint for that certificate.</li> <li>Before turning this feature on, log in to your IT Glue account twice - once in a regular browser and once in an incognito/private window. This is to ensure that you are still logged in to your account if you get locked out in the other window. Alternatively, you can also log in to two separate browsers.</li> </ul><p>Instructions</p> <h3 data-id="adding-a-new-relying-party-trust">Adding a new relying party trust</h3> <p>The connection between ADFS and IT Glue is defined using a relying party trust.</p> <ol><li>Log in to the server where ADFS is installed.</li> <li>Launch the <strong>ADFS Management</strong> application (<strong>Start > Administrative Tools > ADFS Management</strong>) and select the <strong>Trust Relationships > Relying Party Trusts</strong> node.</li> <li>Click <strong>Add Relying Party Trust</strong> from the <strong>Actions</strong> sidebar.<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/5EU50G18KNB3/screen-shot-2016-12-15-at-3-48-34-pm.png" alt="" class="embedImage-img importedEmbed-img"></img></li> <li>Click <strong>Start</strong> on the Add Relying Party Trust wizard.<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/Y3K0T6FM6SN6/screen-shot-2016-12-15-at-3-49-14-pm.png" alt="" class="embedImage-img importedEmbed-img"></img></li> <li>On the <strong>Select Data Source</strong> screen, click <strong>Enter data about the relying party manually </strong>and click Next.<br><strong><br></strong><strong><img src="https://us.v-cdn.net/6032361/uploads/migrated/YCM5AJHUZKGO/sso-adfs-itg2.png" alt="" class="embedImage-img importedEmbed-img"></img><br><br></strong> </li> <li>Provide information for each screen in the Add Relying Party Trust wizard. <ol type="a"><li>On the <strong>Specify Display Name</strong> screen, enter a <strong>Display name</strong> of your choosing and any notes (e.g. IT Glue SSO), select <strong>ADFS profile</strong>, and then click Next.</li> <li>Skip the <strong>Configure Certificate</strong> screen by clicking Next.</li> <li>On the <strong>Configure URL</strong>, select the box labeled <strong>Enable Support for the SAML 2.0 WebSSO protocol</strong>. The URL will be <em><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fsubdomain.itglue.com%2Fsaml%2Fconsume">https://subdomain.itglue.com/saml/consume</a></em>, replacing subdomain with your IT Glue subdomain. Note that there's no trailing slash at the end of the URL.</li> <li>On the <strong>Configure Identifiers</strong> screen, enter the <strong>Relying party trust identifier</strong>. This is the URL of your IT Glue subdomain. The URL will be <em><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fsubdomain.itglue.com">https://subdomain.itglue.com</a></em>, click Next.</li> <li>Skip the <strong>Configure Multi-factor Authentication</strong> screen (unless you want to configure this) by clicking Next.</li> <li>Skip the <strong>Choose Issuance Authorization Rules</strong> screen by clicking Next.</li> <li>On the <strong>Ready to Add Trust</strong> screen, review your settings and then click Next.</li> <li>On the final screen, make sure the <strong>Open the Edit Claim Rules dialog for this relying party trust when the wizard closes</strong> checkbox is selected and click <strong>Finish</strong>. This opens the claim rule editor.<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/UGVG75DN60XC/sso-adfs-itg3.png" alt="" class="embedImage-img importedEmbed-img"></img></li> </ol></li> </ol><h3 data-id="creating-claim-rules">Creating claim rules</h3> <p>After you create the relying party trust, you can create the claim rules and make minor changes that aren't set by the wizard.</p> <ol><li>If the claim rules editor appears, click <strong>Add Rule</strong>. Otherwise, in the <strong>Relying Party Trusts</strong> list, right-click the relying party object that you created, click <strong>Edit Claims Rules</strong>, and then click <strong>Add Rule</strong>.<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/2CYBFB3FIF63/sso-adfs-itg10.png" alt="" class="embedImage-img importedEmbed-img"></img></li> <li>In the <strong>Claim rule template</strong> list, select the <strong>Send LDAP Attributes as Claims</strong> template, and then click Next.</li> <li>Create the following rule: <ul><li>LDAP Attribute: <strong>E-Mail-Addresses </strong> </li> <li>Outgoing Claim Type: <strong>E-Mail Address</strong> </li> <li>Enter a descriptive rule name </li> <li>Attribute Store: <strong>Active Directory</strong> </li> <li>Add the following mapping</li> </ul></li> <li>Click <strong>OK</strong>.</li> <li>Create another new rule by clicking <strong>Add Rule</strong>, this time selecting <strong>Transform an Incoming Claim</strong> as the template.</li> <li>On the next screen, create the following rule: <ul><li>Enter a descriptive rule name</li> <li>Incoming Claim Type: <strong>E-Mail Address</strong> </li> <li>Outgoing Claim Type: <strong>Name ID</strong> </li> <li>Outgoing Name ID Format: <strong>Email</strong> </li> <li> <strong>Pass through all claim values </strong>(the default)</li> </ul></li> <li>Finally, click <strong>OK</strong> to create the claim rule, and then <strong>OK</strong> again to finish creating rules.</li> </ol><h3 data-id="adjusting-the-settings">Adjusting the settings</h3> <p>You still need to adjust a few settings on your relying party trust.</p> <ol><li>In the <strong>Relying Party Trusts</strong> list, double-click the relying party object that you created (or select <strong>Actions > Properties </strong>while you have the Relying Party Trust selected).</li> <li>On the <strong>Advanced</strong> tab, change the <strong>Secure hash algorithm</strong> to <strong>SHA-256</strong>. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/PACXOSP10JUP/sso-configuring-adfs.png" alt="SSO__Configuring_ADFS.png" width="477" height="228" class="embedImage-img importedEmbed-img"></img></p> </li> </ol><ol><li>On the <strong>Endpoints</strong> tab, click on <strong>add SAML</strong> to add a new endpoint. <ul><li>For the <strong>Endpoint type</strong>, select <strong>SAML Logout</strong>.</li> <li>For the <strong>Binding</strong>, choose <strong>POST</strong>.</li> <li>For the <strong>Trusted URL</strong>, create a URL using: <ul><li>The URL of your ADFS server</li> <li>The value for the 'SAML 2.0/W-Federation' URL from the ADFS Service > Endpoints node</li> <li>The string <em>?wa=wsignout1.0</em> </li> <li>The URL will look something like: <em><a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fsso.domain.tld%2Fadfs%2Fls%2F%3Fwa%3Dwsignout1.0">https://sso.domain.tld/adfs/ls/?wa=wsignout1.0</a></em> <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/XKTQ97SWYKH9/edit-endpoint.png" alt="Edit_Endpoint.png" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Click <strong>OK</strong> twice. You should now have a working relying party trust for IT Glue. </li> </ul></li> </ul></li> </ol><h3 data-id="configuring-it-glue">Configuring IT Glue</h3> <p>After setting up ADFS, you need to configure your IT Glue account to authenticate using SAML. You will need a few pieces of information from ADFS to complete this step.</p> <div> <strong>Important. </strong>It's highly recommended that before you begin the below set of instructions, log into your IT Glue account twice - once in a regular browser and once in an incognito/private window. Alternatively, you can also log in to two separate browsers. This is to ensure that you are still logged in to your account in case you are locked out in the other window. </div> <ol><li>Log in to IT Glue and click <strong>Account</strong> from the top navigation bar.</li> <li>Click <strong>Settings</strong> in the sidebar.<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/5DHQNFHNC6NQ/account-settings-it-glue-copy.png" alt="Account_Settings___IT_Glue_copy.png" class="embedImage-img importedEmbed-img"></img></li> <li>Click the <strong>Authentication</strong> tab and then turn the <strong>Enable SAML SSO</strong> toggle switch to <strong>ON</strong>. Once this is turned on, a form will appear. You will need to collect information from ADFS and enter it into this form. <ul><li>In the ADFS Management application, select the <strong>Service</strong> node.</li> <li>Click <strong>Actions > Edit Federation Service Properties</strong>.<br>The ADFS federation service identifier is shown on the <strong>General</strong> tab.</li> <li>In the ADFS Management application, select the <strong>Service > Endpoints</strong> node.</li> <li>Scroll down to the endpoint that has SAML 2.0/WS-Federation as the type and note the URL path. This is typically your ADFS public URL with <em>/adfs/ls</em> after the FQDN.</li> <li>Open PowerShell on the ADFS server.</li> <li>Run <em>Get-ADFSCertificate-CertificateType Token-Signing</em> </li> <li>The thumbprint looks something like: <div><code class="code codeInline" spellcheck="false" tabindex="0">a909502dd82ae41433e6f83886b00d4277a32a7b</code></div> <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/QB674QSXAIGR/untitled-2-copy.png" alt="Untitled-2_copy.png" class="embedImage-img importedEmbed-img"></img></p> </li> </ul></li> </ol><ul><li type="a">Issuer URL</li> <li type="a">SAML Login Endpoint URL</li> <li type="a">SAML Logout Endpoint URL - Enter the logout URL you constructed in previous steps. It should be the same as the login endpoint URL, but with <em>/adfs/ls/?wa=wsignout1.0</em> after your FQDN.</li> <li type="a">Fingerprint</li> <li type="a">Certificate: <ul><li>Export the token-signing certificate with the ADFS Microsoft Management Console.</li> <li>When using the certificate exporting wizard, ensure you select <strong>Base-64 encoded X.509 (.CER)</strong> for the encoding format.</li> <li>Open the exported file in a text editor to get the certificate value.<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/BH0QVUHUZA6P/base64.png" alt="base64.png" class="embedImage-img importedEmbed-img"></img></li> </ul><div> <strong>Important. </strong>Ensure there are no extra spaces trailing at the end of the Certificate string (i.e. after -----END CERTIFICATE-----).</div> </li> </ul> Click <strong>Save</strong>. <div> <strong>Warning.</strong> Click<strong> Save</strong> only when all information has been entered. If you turn on SSO prematurely, it will break the login experience for all users on your account.</div> <p>You should now have a working ADFS SSO implementation for IT Glue, which you can test by going to your subdomain (mycompany.itglue.com) in a new browser session.</p> <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/5WZJWGBE6I3X/adfslogin.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <p><a name="myglue" id="myglue"></a></p> <div> <h3 data-id="configuring-myglue">Configuring MyGlue</h3> <p>If you are <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.vanillacommunities.com%2Fkb%2Farticles%2Faliases%2Fitglue%2Fhc%2Fen-us%2Farticles%2F360007592878-Setting-up-single-sign-on-SSO-to-MyGlue" rel="noopener nofollow">setting up SSO for MyGlue</a>, complete <em><strong>all</strong></em> steps as instructed in this article. However, there are a few key steps in which you'll need to substitute in different values:</p> <p>Complete step 6 in the <em>Adding a new relying party trust</em> section above but use the following values instead:</p> <ul><li>On the <strong>Configure URL</strong>, select the box labeled <strong>Enable Support for the SAML 2.0 WebSSO protocol</strong>. The URL will be <em><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fapp.myglue.com%2Fsaml%2Fconsume">https://app.myglue.com/saml/consume</a></em>. Note that there's no trailing slash at the end of the URL.</li> <li>On the <strong>Configure Identifiers</strong> screen, enter the <strong>Relying party trust identifier</strong>. The URL will be <em><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fapp.myglue.com">https://app.myglue.com</a></em>, click Next.</li> </ul></div> <p>Troubleshooting</p> <p><strong>Users cannot log in</strong></p> <p>In order for ADFS to pass a login through for authentication, a user's email address must be present in the "E-mail" field of the General tab in their AD profile.</p> <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/42XM09UDGJER/image.png" alt="image.png" width="428" height="491" class="embedImage-img importedEmbed-img"></img></p> <p>Common Questions</p> <div> <div> <div> <p><strong>When the SSO server is unavailable, how do we access our accounts? </strong></p> </div> <div> <p>If your SSO provider's service is unavailable, you can still login using your IT Glue username and password at <em>app.itglue.com</em>.</p> <p>If your SSO is not working, confirm your provider's service is available. Send us an <a rel="nofollow" href="mailto:support@itglue.com">email</a> for assistance.</p> </div> </div> <div> <div> <p><strong>How do we disable SSO for a user? </strong></p> </div> <div> <p>To disable a user account, an Administrator or a Manager will need to navigate to the <a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.vanillacommunities.com%2Fkb%2Farticles%2Faliases%2Fitglue%2Fhc%2Fen-us%2Farticles%2F360004938478">Account > Users</a> page in IT Glue. We don’t currently support disabling user accounts through the SSO server.</p> </div> </div> </div> </article> </main>