Ask the Community
Groups
Configuring single sign-on (SSO) with Azure - Connect IT Community | Kaseya
<main> <article class="userContent"> <p> </p> <p>This article explains how to configure the SAML SSO integration of the new Azure AD portal and IT Glue. These instructions apply to the newer Azure portal interface.</p> <div> <p>If you are configuring SSO for MyGlue using Azure, the instructions are the same but you will need to enter different values when configuring Azure and your MyGlue account settings page. Click <a rel="nofollow" href="#myglue">here</a> to see the different values that you'll need to substitute in at key steps within this KB article.</p> </div> <p>Prerequisites</p> <ul><li>Microsoft Azure account with Azure AD Premium activated.</li> <li>Administrator level access to IT Glue and a Global Admin or Co-admin account in Azure.</li> <li>All of your users under your account in IT Glue will need an account in Azure Active Directory with exactly the same email address. We don’t create user accounts under SSO.</li> <li>Before turning this feature on, log in to your IT Glue account twice - once in a regular browser and once in an incognito/private window. This is to ensure that you are still logged in to your account if you get locked out in the other window. Alternatively, you can also log in to two separate browsers.</li> </ul><p>Instructions</p> <ol><li>Log in to the Azure portal (<em><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fportal.azure.com%2F">https://portal.azure.com/</a></em>). In the left-hand menu, click <strong>Azure Active Directory > Enterprise applications.</strong> <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/K7AXY87Y7VE3/itg-software-inc-overview-azure-active-directory-admin-center.png" alt="ITG_Software_Inc____Overview_-_Azure_Active_Directory_admin_center.png" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Click <strong>+ New application</strong> at the top of the screen. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/J8W4YB9YEYHE/enterprise-applications-all-applications-azure-active-directory-admin-center.png" alt="Enterprise_applications___All_applications_-_Azure_Active_Directory_admin_center.png" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Click the <strong>Non-gallery application</strong> button. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/04T4QR17PZWH/add-an-application-azure-active-directory-admin-center.png" alt="Add_an_application_-_Azure_Active_Directory_admin_center.png" width="348" height="208" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Give the new application a name and then click the <strong>Add</strong> button at the bottom of the screen. This will add a custom application to your Azure Active Directory. <div> <strong>Note:</strong> If you do not have Azure AD Premium activated, you will not be able to enter the name of the application and an invite message to upgrade to Premium will appear.</div> <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/8W07OWXT7FDE/add-your-own-application-azure-active-directory-admin-center.png" alt="Add_your_own_application_-_Azure_Active_Directory_admin_center.png" width="347" height="330" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Once the application loads, click <strong>Users and groups</strong> in the left-hand menu. Click <strong>+ Add user</strong> to assign users or user groups to this application. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/XYQ0P3M87EQV/happy-frog-sso-users-and-groups-azure-active-directory-admin-center.png" alt="Happy_Frog_SSO___Users_and_groups_-_Azure_Active_Directory_admin_center.png" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Next, click <strong>Single sign-on</strong> in the left-hand menu and then on the <strong>SAML</strong> button. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/C34RFAVD66BD/happy-frog-sso-single-sign-on-azure-active-directory-admin-center.png" alt="Happy_Frog_SSO___Single_sign-on_-_Azure_Active_Directory_admin_center.png" width="474" height="248" class="embedImage-img importedEmbed-img"></img></p> </li> </ol><h3 data-id="configuring-azure">Configuring Azure</h3> <p><strong>Basic SAML Configuration</strong></p> <ol><li>In the setup screen, click the pencil icon in the <strong>Basic SAML Configuration</strong> box. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/O41JM96FKZ9W/happy-frog-sso-single-sign-on-azure-active-directory-admin-center-2.png" alt="Happy_Frog_SSO___Single_sign-on_-_Azure_Active_Directory_admin_center-2.png" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Enter the following URLs in the fields provided, replacing <em>subdomain</em> with your subdomain: <ul><li> <strong> Identifier (Entity ID)</strong> - Enter your IT Glue subdomain, e.g. https://<em>subdomain</em>.itglue.com</li> <li> <strong> Reply URL (Assertion Consumer Service URL) </strong>- Enter <em><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fsubdomain.itglue.com%2Fsaml%2Fconsume">https://subdomain.itglue.com/saml/consume</a></em> </li> <li> <strong> Sign on URL </strong>- Enter <em><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fsubdomain.itglue.com">https://subdomain.itglue.com</a></em> </li> <li> <strong> Relay State </strong>- Skip. This is an optional parameter used to tell the application where to redirect the user after authentication is completed.</li> <li> <strong>Logout URL</strong> - Enter a URL where IT Glue can redirect users after they log out of IT Glue. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/2WKMDXN7HIS8/configuring-single-sign-on-sso-with-azure-revision-2-google-docs.png" alt="Configuring_single_sign-on__SSO__with_Azure_-_REVISION_2_-_Google_Docs.png" width="346" height="284" class="embedImage-img importedEmbed-img"></img></p> </li> </ul></li> <li>Be sure to fill in your IT Glue subdomain where it says <em>subdomain</em>. Note that there's no trailing slash at the end of the URL. Click <strong>Save</strong> at the top of the form when finished.</li> </ol><p><strong>User Attributes & Claims</strong></p> <ol><li>Return to the setup screen and click the pencil icon in the <strong>User Attributes & Claims</strong> box. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/W8ID5G72SZKG/happy-frog-sso-single-sign-on-azure-active-directory-admin-center-3.png" alt="Happy_Frog_SSO___Single_sign-on_-_Azure_Active_Directory_admin_center-3.png" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Click <strong>Unique User Identifier (Name ID)</strong>. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/KZERHSL4T22G/user-attributes-claims-azure-active-directory-admin-center.png" alt="User_Attributes___Claims_-_Azure_Active_Directory_admin_center.png" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Enter a name and select <em>user.mail</em> in the <strong>Source attribute</strong> drop-down menu. Click <strong>Save</strong> at the top of the form. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/50C1Z0RUD2P7/manage-claim-azure-active-directory-admin-center.png" alt="Manage_claim_-_Azure_Active_Directory_admin_center.png" class="embedImage-img importedEmbed-img"></img></p> </li> </ol><p><strong>SAML Signing Certificate</strong></p> <ol><li>Return to the setup screen and click the pencil icon in the <strong>SAML Signing Certificate</strong> box. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/9WECJRGZUFOW/happy-frog-sso-single-sign-on-azure-active-directory-admin-center-4.png" alt="Happy_Frog_SSO___Single_sign-on_-_Azure_Active_Directory_admin_center-4.png" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Enter a notification email for the certificate expiry reminders. Click<strong> Save</strong> at the top of the form. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/MD1GP1J7QVMU/saml-signing-certificate-azure-active-directory-admin-center.png" alt="SAML_Signing_Certificate_-_Azure_Active_Directory_admin_center.png" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Back in the setup screen, click to download the <strong>Certificate (Base64) </strong>to save the certificate file on your computer and copy the <strong>Thumbprint</strong>. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/GCGUHY9Y5XB0/happy-frog-sso-single-sign-on-azure-active-directory-admin-center-7.png" alt="Happy_Frog_SSO___Single_sign-on_-_Azure_Active_Directory_admin_center-7.png" class="embedImage-img importedEmbed-img"></img></p> </li> </ol><p><strong>Setup <em><Your Application Name></em></strong></p> <ol><li>Return to the setup screen and click the <strong>View step-by-step instructions</strong> link in the <strong>Setup <em><Your Application Name></em></strong> box. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/6FZ8EU7SO4AE/happy-frog-sso-single-sign-on-azure-active-directory-admin-center-5.png" alt="Happy_Frog_SSO___Single_sign-on_-_Azure_Active_Directory_admin_center-5.png" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Review the documentation that will guide you through filling out the: <ul><li> <strong>Login URL</strong><strong> (a.k.a. SAML Single Sign-On Service URL)</strong> </li> <li> <strong>Azure AD Identifier </strong><strong>(a.k.a. SAML Entity ID)</strong>, and</li> <li> <strong>Logout URL </strong><strong>(a.k.a. Sign-out URL)</strong> fields.</li> </ul></li> </ol><p><strong>Test Single Sign-on with <em><Your Application Name></em></strong></p> <ol><li>Return to the setup screen and click the <strong>Test</strong> button in the <strong>Test Single Sign-on with <Your Application Name> </strong>box to check if single sign-on is working. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/RMI9M82ZHG34/happy-frog-sso-single-sign-on-azure-active-directory-admin-center-6.png" alt="Happy_Frog_SSO___Single_sign-on_-_Azure_Active_Directory_admin_center-6.png" class="embedImage-img importedEmbed-img"></img></p> </li> </ol><p>Leave the Azure portal open as you continue onto configuring IT Glue. You will need to refer to it frequently in the next section of this KB.</p> <h3 data-id="configuring-it-glue">Configuring IT Glue</h3> <p>After setting up Azure, you need to configure your IT Glue account to authenticate using SAML. You will need a few pieces of information from Azure to complete this step.</p> <div> <strong>Important.</strong> It's highly recommended that before you begin the below set of instructions, log in to your IT Glue account twice - once in a regular browser and once in an incognito/private window. Alternatively, you can also log in to two separate browsers. This is to ensure that you are still logged in to your account in case you are locked out in the other window.</div> <ol><li>Log in to IT Glue and click <strong>Account</strong> from the top navigation bar.</li> <li>Click <strong>Settings</strong> from the sidebar. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/HLDKCMVOTI38/account-settings-it-glue-copy.png" alt="Account_Settings___IT_Glue_copy.png" width="473" height="146" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Click the <strong>Authentication</strong> tab and then turn the <strong>Enable SAML SSO</strong> toggle switch to <strong>ON</strong>. Once this is turned on, a form will appear. You will need to collect information from Azure and enter it into this form. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/I7M692H21OBC/untitled-2-copy.png" alt="Untitled-2_copy.png" class="embedImage-img importedEmbed-img"></img></p> <ul><li type="a">Copy the <strong>Azure AD Identifier (a.k.a. SAML Entity ID)</strong> and paste it in the <strong>IT Glue Issuer URL</strong> field. </li> <li type="a">Copy the <strong>Login URL (a.k.a. SAML Single Sign-On Service URL)</strong> and paste it in the <strong>IT Glue SAML Login Endpoint URL</strong> field. </li> <li type="a">Copy the <strong>Logout URL (a.k.a. Sign-out URL)</strong> and paste it in the <strong>IT Glue SAML Logout Endpoint URL</strong> field. </li> <li type="a">Go back to the previous page of the Azure settings and copy the <strong>Thumbprint</strong> and paste it in the <strong>IT Glue Fingerprint</strong> field. </li> <li type="a">Open your <strong>Base64-encoded </strong><strong>SAML Signing Certificate</strong> downloaded from Azure portal in Notepad, copy the content of it onto your clipboard, and then paste it in the <strong>IT Glue Certificate</strong> field. <div> <strong>Important. </strong>Ensure there are no extra spaces trailing at the end of the Certificate string (i.e. after -----END CERTIFICATE-----).</div> <img src="https://us.v-cdn.net/6032361/uploads/migrated/L3IEJ67VE0YA/skitch-background-google-docs.png" alt="Skitch_Background_-_Google_Docs.png" class="embedImage-img importedEmbed-img"></img></li> </ul></li> <li>Click <strong>Save</strong> to complete the set up of your account. <div> <strong>Warning.</strong> Click <strong>Save</strong> only when all information has been entered. If you turn on SSO prematurely, it will break the login experience for all users on your account.</div> </li> </ol><p>Once you make this change, you can test your access.</p> <p><a name="myglue" id="myglue"></a></p> <div> <h3 data-id="configuring-myglue">Configuring MyGlue</h3> <p>If you are <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.vanillacommunities.com%2Fkb%2Farticles%2Faliases%2Fitglue%2Fhc%2Fen-us%2Farticles%2F360007592878-Setting-up-single-sign-on-SSO-to-MyGlue" rel="noopener nofollow">setting up SSO for MyGlue</a>, complete <em><strong>all</strong></em> steps as instructed in this article. However, there are a few key steps in which you'll need to substitute in different values:</p> <p>Complete step 2 in the <em>Configuring Azure - Basic SAML Configuration</em> section but use the following values instead:</p> <ul><li> <strong>Identifier (Entity ID)</strong> - <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fapp.myglue.com">https://app.myglue.com</a></li> <li> <strong> Reply URL (Assertion Consumer Service URL) </strong>- <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fapp.myglue.com%2Fsaml%2Fconsume">https://app.myglue.com/saml/consume</a> </li> <li> <strong> Sign on URL </strong>- <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fapp.myglue.com">https://app.myglue.com</a></li> <li> <strong>Logout URL </strong>- <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fapp.myglue.com%2Flogout">https://app.myglue.com/logout</a> (for EU partners, use <em><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fapp.eu.myglue.com">https://app.eu.myglue.com</a></em>)</li> </ul></div> <h3 data-id="testing-sso-authentication">Testing SSO authentication</h3> <p>In the above section, you should have created two IT Glue browser sessions. If you are locked out, you will be able to use the incognito/private window to turn off SSO while you investigate the cause.</p> <p>To make sure SSO is working, perform these steps:</p> <ol><li>Log out of and close the Azure management portal and the Azure AD access panel.</li> <li>In a new browser session, navigate directly to the access panel at <em><a href="/home/leaving?allowTrusted=1&target=http%3A%2F%2Fmyapps.microsoft.com">http://myapps.microsoft.com</a></em>.</li> <li>Enter your Azure AD credentials to log in. After authentication, you will be able to interact with the applications integrated with the directory.</li> <li>Click on the SSO application you created to be redirected and logged in to IT Glue.</li> </ol><p>Another way to test SSO access is to go to your account subdomain (mycompany.itglue.com) directly.</p> <p>Common Questions</p> <div> <div> <div> <p><strong>When the SSO server is unavailable, how do we access our accounts? </strong></p> </div> <div> <p>If your SSO provider's service is unavailable, you can still login using your IT Glue username and password at <em>app.itglue.com</em>.</p> <p>If your SSO is not working, confirm your provider's service is available. Send us an <a rel="nofollow" href="mailto:support@itglue.com">email</a> for assistance.</p> </div> </div> <div> <div> <p><strong>How do we disable SSO for a user? </strong></p> </div> <div> <p>To disable a user account, an Administrator or a Manager will need to navigate to the <strong><a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.vanillacommunities.com%2Fkb%2Farticles%2Faliases%2Fitglue%2Fhc%2Fen-us%2Farticles%2F360004938478">Account > Users</a></strong> page in IT Glue. We don’t currently support disabling user accounts through the SSO server.</p> </div> </div> </div> </article> </main>