Configuring single sign-on (SSO) with Okta - Connect IT Community

/* * These styles apply ONLY to the header and footer assets. */ * { padding: 0; margin: 0; box-sizing: border-box; } .super-nav { display: flex; justify-content: flex-end; align-items: center; margin: 0 auto; max-width: 1264px; padding-left: 40px; padding-right: 40px; height: 40px; text-align: right; } .super-nav a { color: #34427c; margin-right: 20px; padding: 10px; text-decoration: none; } .super-nav a:hover, .super-nav a:focus { background-color: #f7f9fa; } .footer { background: #f5f5f6; color: #555a62; font-size: 14px; line-height: 1.5; padding: 0; } .footer-image { background-image: url("/themes/kaseya/assets/images/footerImage.png"); height: 500px; background-repeat: no-repeat; background-size: cover; margin-top: -100px; } .footer-wrap { padding-left: 18px; padding-right: 18px; max-width: 1236px; margin: 0 auto; } .footer-main-content { background-color: #000; padding: 100px 0; } .footer .footer-col-title { color: #ffffff; font-weight: 700; font-size: 13px; padding-bottom: 10px; text-transform: uppercase; } .footer .footer-link { color: #9b9ca0; text-decoration: none; } .footer .footer-link:hover, .footer .footer-link:focus, .footer .footer-link:active { text-decoration: underline; } .footer-main-content .footer-link { padding-top: 10px; } .footer-row { display: flex; flex-wrap: wrap; justify-content: space-between; align-items: center; margin: -3px; } .footer-main-content-row { align-items: flex-start; } .footer-bottom-content { padding: 10px; align-items: center; } .footer-col { padding: 0 3px; display: flex; flex-direction: column; } .footer-col-copyRight { justify-content: flex-start; color: #9b9ca0; flex: 1; display: flex; } .footer-last-col { flex-direction: row; } .footer-last-col .footer-link { padding-right: 10px; text-transform: uppercase; } @media screen and (max-width: 768px) { .super-nav { padding-right: 0; } .footer-image { height: 250px; } .footer-main-content { padding: 40px 0; } .footer .footer-col-title { padding-top: 10px; } .footer-row:not(.footer-main-content-row) { display: block; } .footer-col:not(.footer-main-content-col) { width: 100%; text-align: center; padding: 10px 0; } .footer-main-content-col { width: 50%; } .footer-last-col { flex-direction: column; } .footer-last-col .footer-link { padding-bottom: 10px; } } /*# sourceMappingURL=styles.css.map */ Ask the Community Groups

Configuring single sign-on (SSO) with Okta - Connect IT Community | Kaseya

For partners subscribed to Enterprise plans.

In this article, you'll learn how to configure SSO on your IT Glue account using Okta.

If you are configuring SSO for MyGlue using Okta, the instructions are the same but you will need to enter different values when configuring Okta and your MyGlue account settings page. Click here to see the different values that you'll need to substitute in at key steps within this KB article.

Prerequisites

You must have Administrator level access to IT Glue to configure SSO on your account.
Ensure your users are provisioned in the identity provider (Okta), with exactly the same email address as their IT Glue account. We don’t create user accounts under SSO.
Before turning this feature on, log in to your IT Glue account twice - once in a regular browser and once in an incognito/private window. This is to ensure that you are still logged in to your account if you get locked out in the other window. Alternatively, you can also log in to two separate browsers.

Instructions

Configuring Okta

In Okta, head to the Applications screen and then click Add Application.
Click the Create New App button.
In the modal, select SAML 2.0 and click Create.
Under General Settings, give the application a name and then click Next.
In the Configure SAML settings, fill in the following:
- Single sign on URL - Enter https://subdomain.itglue.com/saml/consume (with your IT Glue subdomain where it says subdomain).
- Audience URI (SP Entity ID) - Enter https://subdomain.itglue.com (with your IT Glue subdomain where it says subdomain).
- Name ID format - EmailAddress
- Application username - Email
Click the Show Advanced Settings link to configure advanced SAML assertion settings. Configure the Signature Algorithm and SAML Issuer ID options as shown in the image below.
Click Next.
Under Feedback, select “I’m an Okta customer adding an internal app”, check “This is an internal app that we have created”, and then click Finish.
On next screen, click View Setup Instructions.
Leave this window open as you configure IT Glue.

Getting the fingerprint

To get the fingerprint, you can use the third-party fingerprint calculator from OneLogin:

Go to https://developers.onelogin.com/saml/online-tools/x509-certs/calculate-fingerprint.
Paste in the certificate you downloaded further above. To do this, you will need to open the certificate in a text editor to copy the certificate content.
Select sha1 in the Algorithm drop-down menu.
Click the CALCULATE FINGERPRINT button. The fingerprint looks something like:
```
a909502dd82ae41433e6f83886b00d4277a32a7b
```

Configuring IT Glue

After setting up Okta, you need to configure your IT Glue account to authenticate using SAML. You will need a few pieces of information from Okta to complete this step.

Important. It's highly recommended that before you begin the below set of instructions, log in to your IT Glue account twice - once in a regular browser and once in an incognito/private window. Alternatively, you can also log in to two separate browsers. This is to ensure that you are still logged in to your account in case you are locked out in the other window.

Log in to IT Glue and click Account from the top navigation bar.
Click Settings from the sidebar.
Click on the Authentication tab and then turn the Enable SAML SSO toggle switch to ON. Once this is turned on, a form will appear. You will need to collect information from Okta and enter it into this form.
- Copy the Okta Identity Provider Issuer and paste it into the IT Glue Issuer URL field.
- Copy the Okta Identity Provider Single Sign-On URL and paste it in the IT Glue SAML Login Endpoint URL field.
- Copy the Okta Identity Provider Single Sign-On URL and paste it in the IT Glue SAML Logout Endpoint URL field.
- Copy the fingerprint you created above and paste it into the IT Glue Fingerprint field.
- Copy the certificate and paste it into the IT Glue Certificate field.
  Important. Ensure that there are no extra spaces trailing at the end of the Certificate string (i.e. after -----END CERTIFICATE-----).
Click Save.
Warning. Click Save only when all information has been entered. If you turn on SSO prematurely, it will break the login experience for all users on your account.

Once you make this change, you can test your access.

Configuring MyGlue

If you are setting up SSO for MyGlue, complete all steps as instructed in this article. However, there are a few key steps in which you'll need to substitute in different values:

Complete step 5 in the Configuring Okta section above but use the following values instead:

Single sign on URL - https://app.myglue.com/saml/consume
Audience URI (SP Entity ID) - https://app.myglue.com

Testing SSO authentication

Before you configured SSO, you should have created two IT Glue browser sessions. If you get locked out, you will be able to use the incognito/private window to turn off SSO while you investigate the cause.

To make sure SSO is working, perform these steps:

Log out of and close any Okta browser sessions you have open.
In a new browser session, navigate to your IT Glue account subdomain (mycompany.itglue.com) directly. This should redirect you to the identity provider.
Enter your SSO credentials.

After entering your credentials, you should be redirected and logged in to IT Glue.

Common Questions

When the SSO server is unavailable, how do we access our accounts?

If your SSO provider's service is unavailable, you can still login using your IT Glue username and password at app.itglue.com.

If your SSO is not working, confirm your provider's service is available. Send us an email for assistance.

How do we disable SSO for a user?

To disable a user account, an Administrator or a Manager will need to navigate to the Account > Users page in IT Glue. We don’t currently support disabling user accounts through the SSO server.