Ask the Community
Groups
Configuring single sign-on (SSO) with Okta - Connect IT Community | Kaseya
<main> <article class="userContent"> <p> </p> <p>In this article, you'll learn how to configure SSO on your IT Glue account using Okta.</p> <div> <p>If you are configuring SSO for MyGlue using Okta, the instructions are the same but you will need to enter different values when configuring Okta and your MyGlue account settings page. Click <a rel="nofollow" href="#myglue">here</a> to see the different values that you'll need to substitute in at key steps within this KB article.</p> </div> <p>Prerequisites</p> <ul><li>You must have Administrator level access to IT Glue to configure SSO on your account.</li> <li>Ensure your users are provisioned in the identity provider (Okta), with exactly the same email address as their IT Glue account. We don’t create user accounts under SSO.</li> <li>Before turning this feature on, log in to your IT Glue account twice - once in a regular browser and once in an incognito/private window. This is to ensure that you are still logged in to your account if you get locked out in the other window. Alternatively, you can also log in to two separate browsers.</li> </ul><p>Instructions </p> <h3 data-id="configuring-okta">Configuring Okta</h3> <ol><li>In Okta, head to the <strong>Applications</strong> screen and then click <strong>Add Application</strong>.<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/3T5F9TG21MQN/okta-add-application.png" alt="Okta_Add_Application.png" class="embedImage-img importedEmbed-img"></img></li> <li>Click the <strong>Create New App</strong> button.<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/8MZLN1FBXWJW/okta-create-new-app.png" alt="Okta_Create_New_App.png" class="embedImage-img importedEmbed-img"></img></li> <li>In the modal, select <strong>SAML 2.0</strong> and click <strong>Create</strong>.<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/4S120VZY30P3/okta-create-new-integration.png" alt="Okta_Create_New_Integration.png" class="embedImage-img importedEmbed-img"></img></li> <li>Under <strong>General Settings</strong>, give the application a name and then click <strong>Next</strong>.<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/4UZWJY8WDP4X/okta-general-settings.png" alt="Okta_General_Settings.png" class="embedImage-img importedEmbed-img"></img></li> <li>In the <strong>Configure SAML</strong> settings, fill in the following:<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/VQHQ8E4SQLRO/okta-configure-saml.png" alt="Okta_Configure_SAML.png" class="embedImage-img importedEmbed-img"></img><br><br><ul><li> <strong>Single sign on URL </strong>-<strong> </strong>Enter <em><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fsubdomain.itglue.com%2Fsaml%2Fconsume">https://subdomain.itglue.com/saml/consume</a></em> (with your IT Glue subdomain where it says <em>subdomain</em>).</li> <li> <strong>Audience URI (SP Entity ID) </strong>- Enter <em><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fsubdomain.itglue.com">https://subdomain.itglue.com</a></em> (with your IT Glue subdomain where it says <em>subdomain</em>).</li> <li> <strong>Name ID format </strong>- EmailAddress</li> <li> <strong>Application username </strong>- Email</li> </ul></li> <li>Click the <strong>Show Advanced Settings</strong> link to configure advanced SAML assertion settings. Configure the <strong>Signature Algorithm</strong> and <strong>SAML Issuer ID</strong> options as shown in the image below.<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/BLU7Z43QN56V/okta-advanced-settings.png" alt="Okta_Advanced_Settings.png" class="embedImage-img importedEmbed-img"></img></li> <li>Click <strong>Next</strong>.</li> <li>Under <strong>Feedback</strong>, select “I’m an Okta customer adding an internal app”, check “This is an internal app that we have created”, and then click <strong>Finish</strong>.<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/TSQOIBDO6B0Q/okta-feedback.png" alt="Okta_Feedback.png" class="embedImage-img importedEmbed-img"></img></li> <li>On next screen, click <strong>View Setup Instructions</strong>.<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/9QD015WV1FLC/okta-view-setup-instructions.png" alt="Okta_View_Setup_Instructions.png" class="embedImage-img importedEmbed-img"></img></li> <li>Leave this window open as you configure IT Glue.<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/BRPB8M65V6F3/okta-how-to-configure.png" alt="Okta_How_to_Configure.png" class="embedImage-img importedEmbed-img"></img></li> </ol><h3 data-id="getting-the-fingerprint">Getting the fingerprint</h3> <p>To get the fingerprint, you can use the third-party fingerprint calculator from OneLogin:</p> <ol><li>Go to <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fdevelopers.onelogin.com%2Fsaml%2Fonline-tools%2Fx509-certs%2Fcalculate-fingerprint" rel="noopener noreferrer nofollow">https://developers.onelogin.com/saml/online-tools/x509-certs/calculate-fingerprint</a>.</li> <li>Paste in the certificate you downloaded further above. To do this, you will need to open the certificate in a text editor to copy the certificate content.</li> <li>Select <strong>sha1</strong> in the <strong>Algorithm</strong> drop-down menu.</li> <li>Click the <strong>CALCULATE FINGERPRINT</strong> button. The fingerprint looks something like: <div> <pre class="code codeBlock" spellcheck="false" tabindex="0">a909502dd82ae41433e6f83886b00d4277a32a7b</pre> </div> </li> </ol><h3 data-id="configuring-it-glue">Configuring IT Glue</h3> <p>After setting up Okta, you need to configure your IT Glue account to authenticate using SAML. You will need a few pieces of information from Okta to complete this step.</p> <div> <strong>Important. </strong>It's highly recommended that before you begin the below set of instructions, log in to your IT Glue account twice - once in a regular browser and once in an incognito/private window. Alternatively, you can also log in to two separate browsers. This is to ensure that you are still logged in to your account in case you are locked out in the other window. </div> <ol><li>Log in to IT Glue and click <strong>Account</strong> from the top navigation bar.</li> <li>Click <strong>Settings</strong> from the sidebar.<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/UWBRPMMAHCM0/account-settings-it-glue-copy.png" alt="Account_Settings___IT_Glue_copy.png" class="embedImage-img importedEmbed-img"></img></li> <li>Click on the <strong>Authentication</strong> tab and then turn the <strong>Enable SAML SSO</strong> toggle switch to <strong>ON</strong>. Once this is turned on, a form will appear. You will need to collect information from Okta and enter it into this form. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/7IAERGUBNMRM/untitled-2-copy.png" alt="Untitled-2_copy.png" class="embedImage-img importedEmbed-img"></img></p> <ul><li type="a">Copy the <strong>Okta Identity Provider Issuer</strong> and paste it into the <strong>IT Glue Issuer URL</strong> field.</li> <li type="a">Copy the <strong>Okta Identity Provider Single Sign-On URL</strong> and paste it in the <strong>IT Glue SAML Login Endpoint URL</strong> field.</li> <li type="a">Copy the <strong>Okta Identity Provider Single Sign-On URL</strong> and paste it in the <strong>IT Glue SAML Logout Endpoint URL</strong> field.</li> <li type="a">Copy the fingerprint you created above and paste it into the <strong>IT Glue Fingerprint</strong> field.</li> <li type="a">Copy the certificate and paste it into the <strong>IT Glue Certificate</strong> field. <div> <strong>Important.</strong> Ensure that there are no extra spaces trailing at the end of the Certificate string (i.e. after -----END CERTIFICATE-----).</div> </li> </ul></li> <li>Click <strong>Save</strong>. <div> <strong>Warning.</strong> Click Save only when all information has been entered. If you turn on SSO prematurely, it will break the login experience for all users on your account.</div> </li> </ol><p>Once you make this change, you can test your access.</p> <p><a name="myglue" id="myglue"></a></p> <div> <h3 data-id="configuring-myglue">Configuring MyGlue</h3> <p>If you are <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.vanillacommunities.com%2Fkb%2Farticles%2Faliases%2Fitglue%2Fhc%2Fen-us%2Farticles%2F360007592878-Setting-up-single-sign-on-SSO-to-MyGlue" rel="noopener nofollow">setting up SSO for MyGlue</a>, complete <em><strong>all</strong></em> steps as instructed in this article. However, there are a few key steps in which you'll need to substitute in different values:</p> <p>Complete step 5 in the <em>Configuring Okta </em>section above but use the following values instead:</p> <ul><li> <strong>Single sign on URL </strong>- <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fapp.myglue.com%2Fsaml%2Fconsume">https://app.myglue.com/saml/consume</a></li> <li> <strong>Audience URI (SP Entity ID) </strong>- <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fapp.myglue.com">https://app.myglue.com</a></li> </ul></div> <h3 data-id="testing-sso-authentication">Testing SSO authentication</h3> <p>Before you configured SSO, you should have created two IT Glue browser sessions. If you get locked out, you will be able to use the incognito/private window to turn off SSO while you investigate the cause.</p> <p>To make sure SSO is working, perform these steps:</p> <ol><li>Log out of and close any Okta browser sessions you have open.</li> <li>In a new browser session, navigate to your IT Glue account subdomain (mycompany.itglue.com) directly. This should redirect you to the identity provider.</li> <li>Enter your SSO credentials.</li> </ol><p>After entering your credentials, you should be redirected and logged in to IT Glue.</p> <p>Common Questions</p> <div> <div> <div> <p><strong>When the SSO server is unavailable, how do we access our accounts? </strong></p> </div> <div> <p>If your SSO provider's service is unavailable, you can still login using your IT Glue username and password at <em>app.itglue.com</em>.</p> <p>If your SSO is not working, confirm your provider's service is available. Send us an <a rel="nofollow" href="mailto:support@itglue.com">email</a> for assistance.</p> </div> </div> <div> <div> <p><strong>How do we disable SSO for a user? </strong></p> </div> <div> <p>To disable a user account, an Administrator or a Manager will need to navigate to the <a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.vanillacommunities.com%2Fkb%2Farticles%2Faliases%2Fitglue%2Fhc%2Fen-us%2Farticles%2F360004938478">Account > Users</a> page in IT Glue. We don’t currently support disabling user accounts through the SSO server.</p> </div> </div> </div> </article> </main>