Ask the Community
Groups
Configuring single sign-on (SSO) with Passly - Connect IT Community | Kaseya
<main> <article class="userContent"> <p> </p> <p>In this article, you'll learn how to configure single sign-on (SSO) on your IT Glue account using Passly On-Demand (cloud). For AuthAnvil On-Premises, refer to these <a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fhelpdesk.kaseya.com%2Fhc%2Fen-gb%2Farticles%2F360034689511-Adding-IT-Glue-SAML-access-in-SSO">Adding IT Glue SAML access in SSO</a>.</p> <div> <p>If you are configuring SSO for MyGlue using Passly, the instructions are the same but you will need to enter different values when configuring Passly and your MyGlue account settings page. Click <a rel="nofollow" href="#myglue">here</a> to see the different values that you'll need to substitute in at key steps within this KB article.</p> </div> <p>AuthAnvil (On-Demand) has been rebranded as Passly, but some in-app references and screenshots in IT Glue as well as this article may still refer to the AuthAnvil name. Please note that Passly is the cloud-based software while they also support on-premises under the AuthAnvil name.</p> <p>Prerequisites</p> <ul><li>You must have Administrator level access to IT Glue to configure SSO on your account.</li> <li>Ensure your users are provisioned in the identity provider (Passly), with exactly the same email address as their IT Glue account. We don’t create user accounts under SSO.</li> <li>Before turning this feature on, log in to your IT Glue account twice - once in a regular browser and once in an incognito/private window. This is to ensure that you are still logged in to your account if you get locked out in the other window. Alternatively, you can also log in to two separate browsers.</li> <li>Ensure that the users and groups have been created within IT Glue before starting the instructions for setting up SSO with Passly.</li> </ul><p>Instructions </p> <h3 data-id="configuring-passly">Configuring Passly</h3> <p>To configure and manage SSO, you must have a user group that you can associate with the IT Glue SSO configuration. Follow the below instructions to create a group. Alternatively, you may have existing groups in Passly that you can use for the IT Glue SSO integration.</p> <ol><li>Log in to Passly and navigate to <strong>Directory Manager > Groups</strong> in the left-hand menu. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/U8TFS4K276NB/passly.png" alt="Passly.png" width="346" height="310" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Click the plus sign icon in the bottom-right corner. A <strong>Create New Group</strong> column will appear. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/ME5F5SJF1DLX/passly-2.png" alt="Passly-2.png" width="61" height="63" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Enter a name for your new group and then click <strong>Add Group</strong> at the bottom of the column. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/NF5UFK6T131B/aa-new-group-name.png" alt="AA_New_Group_Name.png" width="348" height="125" class="embedImage-img importedEmbed-img"></img></p> </li> <li>To add users to the group, click the vertical ellipsis beside the newly created group in the main screen and then click <strong>Edit</strong>. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/BX3K17LSCB6B/authanvil-12.png" alt="AuthAnvil-12.png" width="348" height="59" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Click on the plus sign icon at the bottom-right corner and then on the <strong>Add Users</strong> icon. Click the checkbox next to the desired user(s) and then click <strong>Add Users</strong>. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/AK0OZIWYT4A6/passly-3.png" alt="Passly-3.png" width="347" height="174" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Click on <strong>SSO Manager </strong>in the left-hand menu. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/IJOQKCCGNZOY/passly-4.png" alt="Passly-4.png" width="347" height="358" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Click the plus sign icon at the bottom-right corner and then on the <strong>Catalogue</strong> button. Clicking the Catalogue button will open an <strong>Add new Application to the Library </strong>window. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/MV1JDKONLDJE/passly-5.png" alt="Passly-5.png" width="135" height="169" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Search for and select IT Glue from the catalog. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/KKGPUH43TN89/passly-6.png" alt="Passly-6.png" width="345" height="256" class="embedImage-img importedEmbed-img"></img></p> </li> <li>In the <strong>Add new Application to the Library</strong> window, click the <strong>Application is Enabled</strong> checkbox. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/6N4WFHEDZWF6/authanvil-9.png" alt="AuthAnvil-9.png" width="347" height="355" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Next, click <strong>Protocol Setup</strong> at the top of the screen and update the following three fields in this section by replacing <em>domain</em> with your IT Glue subdomain.</li> <ol><li type="a"> <strong>Assertion Consumer Service URL</strong> - https://<em>subdomain</em>.itglue.com/saml/consume</li> <li type="a"> <strong>Audience URI</strong> - https://<em>subdomain</em>.itglue.com <ol><li type="i">Click on <strong>Edit</strong> and then on <strong>Save Changes</strong> to adjust the URI.</li> </ol></li> <li type="a"> <strong>Service Entity ID (Issuer)</strong> - https://<em>subdomain</em>.itglue.com</li> </ol><li>Select the <strong>Allow Multiple Audiences</strong> checkbox and click <strong>Add Application</strong> at the bottom-right of the screen. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/F3EY2SEOCMBP/authanvil-11.png" alt="AuthAnvil-11.png" width="347" height="394" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Now that you have added the application, click <strong>Permissions</strong> at the top of the screen and then click the <strong>Add Groups</strong> button. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/7M6122PWZUP0/aa-group-access.png" alt="AA_Group_Access.png" width="347" height="105" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Select the group(s) you created in Step 3 above and click <strong>Add Groups</strong>. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/S01D1YAF6AVF/aa-allow-groups.png" alt="AA_Allow_Groups.png" width="347" height="205" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Click the <strong>Save Changes</strong> button to finish the setup.</li> </ol><p>Leave the Passly window open as you continue on to configuring IT Glue. You will need to refer to it frequently in the next section of this KB.</p> <h3 data-id="configuring-it-glue">Configuring IT Glue</h3> <p>After setting up Passly, you need to configure your IT Glue account to authenticate using SAML. You will need a few pieces of information from Passly to complete this step.</p> <div> <strong>Important.</strong> It's highly recommended that before you begin the below set of instructions, log in to your IT Glue account twice - once in a regular browser and once in an incognito/private window. Alternatively, you can also log in to two separate browsers. This is to ensure that you are still logged in to your account in case you are locked out in the other window.</div> <ol><li>Log in to IT Glue and click <strong>Account</strong> from the top navigation bar.</li> <li>Click <strong>Settings</strong> in the sidebar. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/LK3UV59DAJ1W/account-settings-it-glue-copy.png" alt="Account_Settings___IT_Glue_copy.png" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Click on the <strong>Authentication</strong> tab and then turn the <strong>Enable SAML SSO </strong>toggle switch to <strong>ON</strong>. Once this is turned on, a form will appear. You will need to collect information from Passly and enter it into this form. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/RDS5EBQBUYH1/untitled-2.png" alt="Untitled-2.png" class="embedImage-img importedEmbed-img"></img></p> <ol><li type="a">Issuer URL: <ul><li>Navigate to <strong>Passly > SSO Manager</strong> and open the <strong>IT Glue </strong>application.</li> <li>Click <strong>Protocol Setup</strong> at the top of the screen.</li> <li>Copy the <strong>Identify Issuer</strong> and paste it into the <strong>Issuer URL</strong> field in IT Glue.</li> </ul></li> <li type="a">SAML Login Endpoint URL: <ul><li>Navigate to<strong> Passly ></strong><strong> Launchpad</strong>.</li> <li>Right-click on the IT Glue text in the logo and click <strong>Copy Link Address</strong>.</li> <li>Paste the link into the <strong>SAML Login Endpoint URL</strong> field in IT Glue. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/OWW8JFDY36LS/screen-shot-2020-05-11-at-3-31-39-pm.png" alt="Screen_Shot_2020-05-11_at_3.31.39_PM.png" width="308" height="245" class="embedImage-img importedEmbed-img"></img></p> </li> </ul></li> <li type="a">SAML Logout Endpoint URL: <ul><li>Enter a URL where IT Glue can redirect users after they log out of IT Glue. Passly does not provide this URL and this value cannot be left empty.</li> <li>A recommended value would look something like: <em><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fitgluetest.my.passly.com%2Fapps">https://itgluetest.my.passly.com/apps</a></em>. </li> </ul></li> <li type="a">Fingerprint: <ul><li>Navigate to <strong>Passly</strong><strong> > SSO Manager</strong> and open the IT Glue application.</li> <li>Click <strong>Signing and Encryption</strong> at the top of the screen.</li> <li>Copy and paste the thumbprint into the <strong>Fingerprint </strong>field in IT Glue.</li> </ul></li> <li type="a">Certificate: <ul><li>Navigate to <strong>Passly > SSO Manager</strong> and open the IT Glue application.</li> <li>Click<strong>Signing and Encryption</strong> at the top of the screen.</li> <li>Click the <strong>< > Copy</strong> button to get the certificate value.</li> <li>Paste the certificate into the <strong>Certificate </strong>field in IT Glue. <div> <strong>Important. </strong>Ensure there are no extra spaces trailing at the end of the Certificate string (i.e. after -----END CERTIFICATE-----).</div> <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/1FEA704TYH51/authanvil-5-2.png" alt="AuthAnvil-5-2.png" class="embedImage-img importedEmbed-img"></img></p> </li> </ul></li> </ol></li> </ol><ol start="4"><li>Once all information from Step 3 is copied from Passly and pasted into the SAML SSO from in IT Glue, click <strong>Save</strong>.</li> </ol><p><img src="https://us.v-cdn.net/6032361/uploads/migrated/ZWMCSBGAW6PB/account-settings-it-glue-2-2.png" alt="Account_Settings___IT_Glue-2-2.png" class="embedImage-img importedEmbed-img"></img></p> <div> <strong>Warning. </strong>Click <strong>Save</strong> only when all information has been entered. If you turn on SSO prematurely, it will break the login experience for all users on your account.</div> <p><a name="myglue" id="myglue"></a></p> <div> <h3 data-id="configuring-myglue">Configuring MyGlue</h3> <p>If you are <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.vanillacommunities.com%2Fkb%2Farticles%2Faliases%2Fitglue%2Fhc%2Fen-us%2Farticles%2F360007592878-Setting-up-single-sign-on-SSO-to-MyGlue" rel="noopener nofollow">setting up SSO for MyGlue</a>, complete <em><strong>all</strong></em> steps as instructed in this article. However, there are a few key steps in which you'll need to substitute in different values:</p> <p>Complete step 10 in the <em>Configuring Passly</em> section above but use the following values instead:</p> <ul><li> <strong>Assertion Consumer Service URL</strong> - <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fapp.myglue.com%2Fsaml%2Fconsume">https://app.myglue.com/saml/consume</a></li> <li> <strong>Audience URL</strong> - <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fapp.myglue.com">https://app.myglue.com</a></li> <li> <strong>Service Entity ID (Issuer)</strong> - <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fapp.myglue.com">https://app.myglue.com</a></li> </ul></div> <h3 data-id="testing-sso-authentication">Testing SSO authentication</h3> <p>Before you configured SSO, you should have logged in to IT Glue in two separate browser sessions. If you get locked out, you will be able to use the incognito/private window to turn off SSO and investigate the cause.</p> <p>To make sure SSO is working, perform these steps:</p> <ol><li>Log out of and close any Passly browser sessions you have open.</li> <li>Open a new browser session and navigate to your IT Glue account subdomain (mycompany.itglue.com) directly. This will redirect you to the identity provider.</li> <li>Enter your SSO credentials.</li> </ol><p>After entering your credentials, you should be redirected and logged in to IT Glue.</p> <h3 data-id="setting-your-authentication-policy">Setting your authentication policy</h3> <p>Finally, determine whether to set your authentication policy to require the user of MFA via SSO to access IT Glue.</p> <ol><li>Passly, click on <strong>Policy Manager</strong> on the left side of the screen and then on <strong>Default Auth Policy</strong>.</li> </ol><p><img src="https://us.v-cdn.net/6032361/uploads/migrated/YSDOQRVUZQ6E/passly-7.png" alt="Passly-7.png" width="386" height="323" class="embedImage-img importedEmbed-img"></img></p> <ol start="2"><li>In the next screen, make the required changes to your authentication policy by clicking on the <strong>+ Add Additional Rule</strong> button in the top-right corner. An example would look like:</li> </ol><p><img src="https://us.v-cdn.net/6032361/uploads/migrated/R9575UX7CKZT/authanvil-10-2.png" alt="AuthAnvil-10-2.png" class="embedImage-img importedEmbed-img"></img></p> <ol start="3"><li>Click on <strong>Save Changes</strong>.</li> </ol><p>Common Questions</p> <div> <div> <div> <p><strong>When the SSO server is unavailable, how do we access our accounts? </strong></p> </div> <div> <p>If your SSO provider's service is unavailable, you can still log in using your IT Glue username and password at <em>app.itglue.com</em>.</p> <p>If your SSO is not working, confirm your provider's service is available. Contact our <a rel="nofollow" href="support.itglue.com">support team</a> for assistance.</p> </div> </div> <div> <div> <p><strong>How do we disable SSO for a user? </strong></p> </div> <div> <p>To disable a user account, an Administrator or a Manager will need to navigate to the <strong><a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.vanillacommunities.com%2Fkb%2Farticles%2Faliases%2Fitglue%2Fhc%2Fen-us%2Farticles%2F360004938478">Account > Users</a></strong> page in IT Glue. We don’t currently support disabling user accounts through the SSO server.</p> </div> </div> </div> </article> </main>