Ask the Community
Groups
Configuring single sign-on (SSO) for G Suite - Connect IT Community | Kaseya
<main> <article class="userContent"> <p> </p> <p>Follow these step-by-step instructions to configure SSO on your IT Glue account using Google as a SAML identity provider. This is great for partners who use Google but haven't yet implemented SSO. By using SSO with Google, you can set up basic SSO authentication without introducing a third-party service such as OneLogin.</p> <div> <p>If you are configuring SSO for MyGlue using Google, the instructions are the same but you will need to enter different values when configuring Google and your MyGlue account settings page. Click <a rel="nofollow" href="#myglue">here</a> to see the different values that you'll need to substitute in at key steps within this KB article.</p> </div> <div> <strong>Note:</strong> The following instructions are the Google SSO steps as of the time of writing. However, recently, Google added a SAML integration for IT Glue, which means IT Glue is now pre-integrated with Google's SSO feature. For more information, see <a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F7577088">Google's documentation</a>.</div> <p>Prerequisites</p> <ul><li>You must have Administrator level access to IT Glue to configure SSO on your account.</li> <li>Ensure your users are provisioned in the identity provider (Google), with exactly the same email address as their IT Glue account. We don’t create user accounts under SSO.</li> <li>Before turning this feature on, log in to your IT Glue account twice - once in a regular browser and once in an incognito/private window. This is to ensure that you are still logged in to your account if you get locked out in the other window. Alternatively, you can also log in to two separate browsers.</li> </ul><p>Instructions </p> <h3 data-id="configuring-google">Configuring Google</h3> <ol><li>As an administrator on your G Suite account, sign in to <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fadmin.google.com%2F" rel="noopener noreferrer nofollow">https://admin.google.com/</a>.</li> <li>Click through to <strong>Apps > SAML Apps</strong>.</li> <li>Click the blue plus sign icon in the bottom right corner to open a dialog that will help you build a custom app step by step. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/100G94APR320/ga-saml-apps-2.png" alt="GA_SAML_Apps-2.png" class="embedImage-img importedEmbed-img"></img></p> </li> <li>From the <strong>Enable SSO for SAML Application</strong> (step 1/5), click on <strong>Setup my own custom app</strong> at the bottom of the screen.<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/SHA6HSSBVBPV/ga-step-one.png" alt="GA_Step_One.png" class="embedImage-img importedEmbed-img"></img></li> <li>From the <strong>Google IdP Information</strong> (step 2/5), you will find an SSO URL and Entity ID which you will enter in IT Glue later. For now, click <strong>Download</strong> to download the certificate. You'll need information from it in a moment. Click <strong>Next</strong>.<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/1X8ZXMNI8Z1S/ga-step-two.png" alt="GA_Step_Two.png" class="embedImage-img importedEmbed-img"></img></li> <li>From the <strong>Basic information for your Custom App</strong> (step 3/5), you can add a name (required), description, and logo in the fields provided to identify the app. Click <strong>Next</strong>.<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/S6I70AOFU8Q5/ga-step-three.png" alt="GA_Step_Three.png" class="embedImage-img importedEmbed-img"></img></li> <li>From the <strong><a name="ServiceProviderDetails" id="ServiceProviderDetails"></a>Service Provider Details</strong> (step 4/5), enter the required information below. When you're done entering the information, click <strong>next</strong>. <ul><li> <strong>ACS URL </strong>- The URL should be <em><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fsubdomain.itglue.com%2Fsaml%2Fconsume">https://subdomain.itglue.com/saml/consume</a></em> (with your IT Glue subdomain where it says <em>subdomain</em>)</li> <li> <strong>Entity ID </strong>- Enter <em><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fsubdomain.itglue.com">https://subdomain.itglue.com</a><em> (with your IT Glue subdomain where it says <em>subdomain</em>) </em></em> </li> <li> <strong>Start URL </strong>- This is the login URL and it should also be <em><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fsubdomain.itglue.com">https://subdomain.itglue.com</a></em> (with your IT Glue subdomain where it says <em>subdomain</em>)</li> <li> <strong>Signed Response</strong> - Disable</li> <li> <strong>Name ID </strong>- Basic Information – Primary Email</li> <li> <strong>Name ID Format </strong>- EMAIL <p><br>The screenshot below shows you the screen with sample URLs:</p> <img src="https://us.v-cdn.net/6032361/uploads/migrated/6QU9822SURIQ/ga-step-four.png" alt="GA_Step_Four.png" class="embedImage-img importedEmbed-img"></img></li> </ul></li> <li>Leave this window open as you configure IT Glue, but remember to click <strong>Finish</strong> on the <strong>Attribute Mapping</strong> (step 5/5) when you are done configuring SSO in IT Glue. No action is required on the Attribute Mapping step.<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/FVJFXXH1A9PJ/ga-step-five.png" alt="GA_Step_Five.png" class="embedImage-img importedEmbed-img"></img></li> </ol><h3 data-id="getting-the-fingerprint">Getting the fingerprint</h3> <p>To get the fingerprint, you can use the third-party fingerprint calculator from OneLogin:</p> <ol><li>Go to <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fdevelopers.onelogin.com%2Fsaml%2Fonline-tools%2Fx509-certs%2Fcalculate-fingerprint" rel="noopener noreferrer nofollow">https://developers.onelogin.com/saml/online-tools/x509-certs/calculate-fingerprint</a>.</li> <li>Paste in the certificate you downloaded further above. To do this, you will need to open the certificate in a text editor to copy the certificate content.</li> <li>Select <strong>sha1</strong> in the <strong>Algorithm</strong> drop-down menu.</li> <li>Click the <strong>CALCULATE FINGERPRINT</strong> button. The fingerprint looks something like:<br><div> <pre class="code codeBlock" spellcheck="false" tabindex="0">a909502dd82ae41433e6f83886b00d4277a32a7b</pre> </div> </li> </ol><h3 data-id="configuring-it-glue">Configuring IT Glue</h3> <p>After setting up Google, you need to configure your IT Glue account to authenticate using SAML. You will need the fingerprint and a few pieces of information from Google to finish the configuration.</p> <div> <strong>Important. </strong>It's highly recommended that before you begin the below set of instructions, log in to your IT Glue account twice - once in a regular browser and once in an incognito/private window. Alternatively, you can also log in to two separate browsers. This is to ensure that you are still logged in to your account in case you are locked out in the other window.</div> <ol><li>Log in to IT Glue and click <strong>Account</strong> in the top navigation bar.</li> <li>Click <strong>Settings</strong> from the sidebar.<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/OMT00PP1C73W/account-settings-it-glue-copy.png" alt="Account_Settings___IT_Glue_copy.png" class="embedImage-img importedEmbed-img"></img></li> <li>Click on the <strong>Authentication</strong> tab and then turn the <strong>Enable SAML SSO</strong> toggle switch to <strong>ON</strong>. Once this is turned on, a form will appear. You will need to collect information from G-Suite and enter it into this form. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/GB49TG1K32QU/untitled-2-copy.png" alt="Untitled-2_copy.png" class="embedImage-img importedEmbed-img"></img></p> <ul><li type="a">Copy the <strong>Google Entity ID</strong> and paste it in the IT Glue<strong> Issuer URL</strong> field.</li> <li type="a">Copy the <strong>Google SSO URL</strong> and paste it in the IT Glue <strong>SAML Login Endpoint</strong><strong> URL</strong> field.</li> <li type="a">For the<strong> SAML Logout Endpoint URL</strong>, enter a URL where IT Glue can redirect users after they sign out of IT Glue. Google does not provide this URL, and this value cannot be left empty. Recommended value: <em><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fapps.google.com%2Fuser%2Fhub">https://apps.google.com/user/hub</a>.</em> </li> <li type="a">Enter the fingerprint you created further above in the IT Glue <strong>Fingerprint</strong> field.</li> <li type="a">Enter the certificate in the <strong>IT Glue Certificate</strong> field. <div> <strong>Important.</strong> Ensure there are no extra spaces trailing at the end of the Certificate string (i.e. after -----END CERTIFICATE-----).</div> </li> </ul></li> <li>Click <strong>Save</strong>. <div> <strong>Warning.</strong> Click <strong>Save</strong> only when all information has been entered. If you turn on SSO prematurely, it will break the sign-in experience for all users on your account.</div> </li> </ol><p>Before you can test your access, you must make one more change.</p> <p><a name="myglue" id="myglue"></a></p> <div> <h3 data-id="configuring-myglue">Configuring MyGlue</h3> <p>If you are <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.vanillacommunities.com%2Fkb%2Farticles%2Faliases%2Fitglue%2Fhc%2Fen-us%2Farticles%2F360007592878-Setting-up-single-sign-on-SSO-to-MyGlue" rel="noopener nofollow">setting up SSO for MyGlue</a>, complete <em><strong>all</strong></em> steps as instructed in this article. However, there are a few key steps in which you'll need to substitute in different values:</p> <p>Complete step 7 in the <em>Configuring Google </em>section above but use the following values instead:</p> <ul><li> <strong>ACS URL </strong>- <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fapp.myglue.com%2Fsaml%2Fconsume">https://app.myglue.com/saml/consume</a> </li> <li> <strong>Entity ID </strong>- <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fapp.myglue.com">https://app.myglue.com</a></li> <li> <strong>Start URL </strong>- <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fapp.myglue.com">https://app.myglue.com</a> </li> </ul></div> <h3 data-id="enabling-the-app-for-your-domain">Enabling the app for your domain</h3> <p>When you create a SAML app, it is turned off by default. This means that for users signed in to your Google domain account, the app will not be visible to them. To turn it on, go to your Google Admin console, click <strong>App</strong>, and then click <strong>SAML Apps</strong>. Find your app and select an action from the right side of the screen:</p> <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/NUEI0CO8HBQN/ga-turn-on-sso.png" alt="GA_Turn_On_SSO.png" class="embedImage-img importedEmbed-img"></img></p> <p>If you do not want to activate the app for everyone, you can take advantage of G Suite/Google Apps organizational units and activate the app for only a subset of users. Refer to the <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F182537%3Fhl%3Den" rel="noopener noreferrer nofollow">Google documentation</a> for further details about creating these organizations.</p> <h3 data-id="testing-sso-authentication">Testing SSO authentication</h3> <p>Before you configured SSO, you should have created two IT Glue browser sessions. If you get locked out, you will be able to use the incognito/private window to turn off SSO while you investigate the cause.</p> <p>For testing, sign out of Google. In a new browser session, sign in to Google again. Next, on the Google search page, click the grid icon to expand the apps menu and then click the <strong>More</strong> link to see additional apps. Find the app you created and click on it to sign in to IT Glue.</p> <p>Another way to test SSO access is to go to your account subdomain (mycompany.itglue.com) directly.</p> <p>Common Questions </p> <div> <div> <div> <p><strong>When the SSO server is unavailable, how do we access our accounts?</strong></p> </div> <div> <p>If your SSO provider's service is unavailable, you can still login using your IT Glue username and password at <em>app.itglue.com</em>.</p> <p>If your SSO is not working, confirm your provider's service is available. Send us an <a rel="nofollow" href="mailto:support@itglue.com">email</a> for assistance.</p> </div> </div> <div> <div> <p><strong>How do we disable SSO for a user?</strong></p> </div> <div> <p>If a member has left your team, and you’d like to disable their user account, an Administrator or Manager will need to delete their account from the <a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.vanillacommunities.com%2Fkb%2Farticles%2Faliases%2Fitglue%2Fhc%2Fen-us%2Farticles%2F360004938478">Account > Users</a> page in IT Glue. We don't currently support disabling user accounts through the SSO server.</p> </div> </div> <div> <div> <p><strong>Why am I asked to sign in twice before accessing IT Glue? </strong></p> </div> <div> <p>This can sometimes be triggered when setting up the service provider details (which <a rel="nofollow" href="#ServiceProviderDetails">Step 7 Service Provider Details</a> in Configuring Google indicates to use <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fsubdomain.itglue.com">https://subdomain.itglue.com</a> in the Start URL field). To prevent this leave the "Start URL" blank (see image below).</p> <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/E6WTQPOWQ8AK/ga-step-four-2.jpg" alt="GA_Step_Four_2.jpg" class="embedImage-img importedEmbed-img"></img></p> </div> </div> </div> </article> </main>