Ask the Community
Groups
Configuring single sign-on (SSO) with OneLogin - Connect IT Community | Kaseya
<main> <article class="userContent"> <p> </p> <p>In this article, you'll learn how to configure SSO on your IT Glue account using OneLogin. For instructions on how to configure SSO for MyGlue using OneLogin, refer to the blue info</p> <div> <p>If you are configuring SSO for MyGlue using OneLogin, the instructions are the same but you will need to enter different values when configuring OneLogin and your MyGlue account settings page. Click <a rel="nofollow" href="#myglue">here</a> to see the different values that you'll need to substitute in at key steps within this KB article.</p> </div> <div> <strong>Note:</strong> These instructions refer to OneLogin but you can use any SSO provider that supports SAML 2.0 or configure your own solution. For more information, refer to our main <a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.vanillacommunities.com%2Fkb%2Farticles%2Faliases%2Fitglue%2Fhc%2Fen-us%2Farticles%2F360004934017">SAML topic</a>.</div> <p>Prerequisites</p> <ul><li>You must have Administrator level access to IT Glue to configure SSO on your account.</li> <li>Ensure your users are provisioned in the identity provider (OneLogin), with exactly the same email address as their IT Glue account. We don’t create user accounts under SSO.</li> <li>Before turning this feature on, log in to your IT Glue account twice - once in a regular browser and once in an incognito/private window. This is to ensure that you are still logged in to your account if you get locked out in the other window. Alternatively, you can also log in to two separate browsers.</li> </ul><p>Instructions </p> <h3 data-id="configuring-onelogin">Configuring OneLogin</h3> <p>OneLogin for IT Glue works the way it does for other sites and apps. In other words, a user logs in once to have automatic access to IT Glue and many other applications such as email, your CRM, and so on without having to log in separately to those services.</p> <ol><li>In the admin portal for <strong>OneLogin</strong>, navigate to <strong>Applications > Applications</strong> and then search for and select <strong>IT Glue</strong>.</li> <li>Click <strong>Save</strong> to add the app to your <strong>Company Apps</strong> and display additional configuration tabs.</li> <li>In the <strong>Configuration</strong> tab, enter your IT Glue subdomain in the field provided. For example, if your IT Glue account URL is <em>"mycompany.itglue.com"</em>, then you would enter <em>mycompany</em>. If you have an EU-hosted IT Glue account, then you would enter <em>mycompany.eu </em>in the field. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/02NR7NWBMHN2/knowledge-base-customer-support-3.png" alt="Knowledge_Base_-_Customer_Support-3.png" class="embedImage-img importedEmbed-img"></img></p> </li> <li>On the <strong>SSO</strong> tab, select <strong>SHA-265</strong> in the <strong>SAML Signature Algorithm</strong> drop-down menu. Then, copy the three URLs (Issuer, SAML 2.0 Endpoint, SLO Endpoint) that are displayed on this screen using their respective Copy to Clipboard buttons. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/397BUP9GVKHU/onelogin.png" alt="OneLogin.png" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Click the <strong>View Details</strong> link under the <strong>X.509 Certificate</strong>. Ensure the <strong>SHA fingerprint</strong> drop-down is set to <strong>SHA1 </strong>before clicking the Copy to Clipboard button. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/ALOROJVOOCET/screenshot-2021-02-10-4-25-pm.png" alt="Screenshot_2021-02-10__4_25_PM.png" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Scroll down to the <strong>X.509 Certificate</strong> section and click the Copy to Clipboard button to copy the entire certificate, including the <em>Begin Certificate</em> and <em>End Certificate </em>text. <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/SUK3SF6605YX/itglue-x509-2.png" alt="itglue-x509-2.png" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Finally, on the <strong>Access</strong> tab, assign the application to a user role that will allow users to access IT Glue.</li> </ol><h3 data-id="configuring-it-glue">Configuring IT Glue</h3> <p>After setting up OneLogin, you will need to configure your IT Glue account to authenticate using SAML. You will need a few pieces of information from OneLogin to complete this step.</p> <div> <strong>Important.</strong> It's highly recommended that before you begin the below set of instructions, log in to your IT Glue account twice - once in a regular browser and once in an incognito/private window. Alternatively, you can also log in to two separate browsers. This is to ensure that you are still logged in to your account in case you are locked out in the other window.</div> <ol><li>Log in to IT Glue and navigate to <strong>Account > Settings > Authentication</strong> tab. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/C6JN0CCM6QSR/account-settings-it-glue.png" alt="Account_Settings___IT_Glue.png" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Click to turn the <strong>Enable SAML SSO</strong> toggle switch to <strong>ON</strong>. Once this is turned on, a form will appear. You will need to enter the information you collected from OneLogin in the section above into this form. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/3L8ZIYBKCAXW/untitled-2-copy.png" alt="Untitled-2_copy.png" class="embedImage-img importedEmbed-img"></img></p> <ol type="a"><li> <p>Copy the <strong>OneLogin Issuer URL</strong> and paste it into the <strong>IT Glue Issuer URL</strong> field.</p> </li> <li> <p>Copy the <strong>OneLogin SAML 2.0 Endpoint URL</strong> and paste it in the <strong>IT Glue SAML Login Endpoint URL</strong> field.</p> </li> <li> <p>Copy the <strong>OneLogin SLO Endpoint URL</strong> and paste it in the <strong>IT Glue SAML Logout Endpoint URL</strong> field.</p> </li> <li> <p>Copy the <strong>SHA-1 fingerprint</strong> you created above and paste it into the <strong>IT Glue Fingerprint</strong> field.</p> </li> <li> <p>Copy the <strong>X.509 certificate</strong> and paste it into the <strong>IT Glue Certificate</strong> field.</p> <div> <strong>Important. </strong>Ensure there are no extra spaces trailing at the end of the Certificate string (i.e. after -----END CERTIFICATE-----). </div> </li> </ol></li> <li>Click <strong>Save</strong>. <div> <strong>Warning.</strong> Click <strong>Save</strong> only when all information has been entered. If you turn on SSO prematurely, it will break the login experience for all users on your account.</div> </li> </ol><p>Once you make this change, you can test your access.</p> <p><a name="myglue" id="myglue"></a></p> <div> <h3 data-id="configuring-myglue">Configuring MyGlue</h3> <p>If you are <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.vanillacommunities.com%2Fkb%2Farticles%2Faliases%2Fitglue%2Fhc%2Fen-us%2Farticles%2F360007592878-Setting-up-single-sign-on-SSO-to-MyGlue" rel="noopener nofollow">setting up SSO for MyGlue</a>, complete <em><strong>all</strong></em> steps as instructed in this article. However, there are a few key steps in which you'll need to substitute in different values:</p> <p>Complete step 3 in the <em>Configuring OneLogin</em> section above but use the following values instead:</p> <ul><li>In the <strong>Configuration</strong> tab, enter <em><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fapp.myglue.com">https://app.myglue.com</a></em> </li> </ul></div> <h3 data-id="testing-sso-authentication">Testing SSO authentication</h3> <p>Before you configured SSO, you should have created two IT Glue browser sessions. If you get locked out, you will be able to use the incognito/private window to turn off SSO while you investigate the cause.</p> <p>To make sure SSO is working, perform these steps:</p> <ol><li>Log out of and close any OneLogin browser sessions you have open.</li> <li>In a new browser session, navigate to your IT Glue account subdomain (mycompany.itglue.com) directly. This should redirect you to the identity provider.</li> <li>Enter your SSO credentials. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/J8GI3UNXEW0K/screen-shot-2016-06-27-at-10-09-52-am.png" alt="" class="embedImage-img importedEmbed-img"></img></p> </li> </ol><p>After entering your credentials, you should be redirected and logged into IT Glue.</p> <h3 data-id="troubleshooting-an-email-mismatch">Troubleshooting an email mismatch</h3> <p>If you have been using OneLogin for some time, your IT Glue account admin email may not match your OneLogin admin email. This can be remedied by doing the following:</p> <ol><li>In OneLogin, go to <strong>Users > Account_Owner</strong>.</li> <li>Select the <strong>Applications</strong> tab.</li> <li>Select IT Glue to open the <strong>Edit Login</strong> pane.</li> </ol><p>Here you can overwrite the default fields for your IT Glue login and insert the correct information to match your OneLogin credentials with your IT Glue credentials.</p> <p>Common Questions</p> <div> <div> <div> <p><strong>When the SSO server is unavailable, how do we access our accounts? </strong></p> </div> <div> <p>If your SSO provider's service is unavailable, you can still login using your IT Glue username and password at <em>app.itglue.com</em>.</p> <p>If your SSO is not working, confirm your provider's service is available. Send us an <a rel="nofollow" href="mailto:support@itglue.com">email</a> for assistance.</p> </div> </div> <div> <div> <p><strong>How do we disable SSO for a user? </strong></p> </div> <div> <p>To disable a user account, an Administrator or a Manager will need to navigate to the <a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.vanillacommunities.com%2Fkb%2Farticles%2Faliases%2Fitglue%2Fhc%2Fen-us%2Farticles%2F360004938478">Account > Users</a> page in IT Glue. We don’t currently support disabling user accounts through the SSO server.</p> </div> </div> </div> </article> </main>