Ask the Community
Groups
Configuring single sign-on (SSO) for Duo - Connect IT Community | Kaseya
<main> <article class="userContent"> <p> </p> <p>In this article, you'll learn how to configure SSO on your IT Glue account using Duo.</p> <div> <p>If you are configuring SSO for MyGlue using Duo, the instructions are the same but you will need to enter different values when configuring Duo and your MyGlue account settings page. Click <a rel="nofollow" href="#myglue">here</a> to see the different values that you'll need to substitute in at key steps within this KB article.</p> </div> <p>Prerequisites</p> <ul><li>You must have Administrator level access to IT Glue to configure SSO on your account.</li> <li>Ensure your users are provisioned in the identity provider (Duo), with exactly the same email address as their IT Glue account. We don’t create user accounts under SSO.</li> <li>Before turning this feature on, log in to your IT Glue account twice - once in a regular browser and once in an incognito/private window. This is to ensure that you are still logged in to your account if you get locked out in the other window. Alternatively, you can also log in to two separate browsers.</li> </ul><p>Instructions</p> <h3 data-id="configuring-duo">Configuring Duo</h3> <ol><li>Log onto the <a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fadmin.duosecurity.com%2Flogin%3Fnext%3D%252F">Duo Admin Panel</a> and navigate to <strong>Applications </strong>> <strong>Protect an Application</strong> in the left-hand menu.</li> <li>Type <em>service provider</em> in the search field and click <strong>Protect the Application</strong> in the search return. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/VROXQ1KN1IZ3/protect-an-application-applications-it-glue-test-duo.png" alt="Protect_an_Application_-_Applications_-_IT_Glue_Test_-_Duo.png" class="embedImage-img importedEmbed-img"></img></p> </li> <li>In the <strong>Service Provider</strong> section of the configuration page, enter the following information:</li> </ol><ul><li> <strong>Service Provider Name</strong> - IT Glue</li> <li> <strong>Entity ID </strong>- <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fsubdomain.itglue.com">https://subdomain.itglue.com</a></li> <li> <strong>Assertion Consumer Service </strong>- <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fsubdomain.itglue.com%2Fsaml%2Fconsume">https://subdomain.itglue.com/saml/consume</a> <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/3P4GN01AR01Q/saml-service-provider-applications-it-glue-test-duo.png" alt="SAML_-_Service_Provider_-_Applications_-_IT_Glue_Test_-_Duo.png" class="embedImage-img importedEmbed-img"></img></p> </li> </ul> In the <strong>SAML Response</strong> section, use the settings shown below: <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/OZUSLZDTSGPE/generic-saml-2x-2.png" alt="generic-saml_2x-2.png" class="embedImage-img importedEmbed-img"></img></p> Save the application and click on <strong>Download your configuration file</strong>. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/8WWWX8P9E67U/saml-service-provider-applications-it-glue-test-duo.png" alt="SAML_-_Service_Provider_-_Applications_-_IT_Glue_Test_-_Duo.png" class="embedImage-img importedEmbed-img"></img></p> Navigate to the Duo Access Gateway server's console and click the <strong>Configure</strong> icon in the <strong>Duo Access Gateway</strong> application group. Click <strong>Applications</strong> and then on <strong>Choose File</strong> in the <strong>Add Applications</strong> section. Locate and upload the SAML application JSON file you downloaded in step 5. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/CA8W5ZIXBD9C/duo-access-gateway-generic-saml-service-provider-duo-security.png" alt="Duo_Access_Gateway_-_Generic_SAML_Service_Provider___Duo_Security.png" class="embedImage-img importedEmbed-img"></img></p> Navigate back to the Duo Access Gateway page admin console's <strong>Applications</strong> page. You will need the information in the <strong>Metadata</strong> section in the next part of this KB article. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/L5I8R3D8GYHY/duo-access-gateway-generic-saml-service-provider-duo-security-2.png" alt="Duo_Access_Gateway_-_Generic_SAML_Service_Provider___Duo_Security-2.png" class="embedImage-img importedEmbed-img"></img></p> <h3 data-id="configuring-it-glue">Configuring IT Glue</h3> <p>After setting up Duo, you need to configure your IT Glue account to authenticate using SAML. You will need a few pieces of information from Duo to complete the next step.</p> <div> <strong>Important.</strong> It's highly recommended that before you begin the below set of instructions, log in to your IT Glue account twice - once in a regular browser and once in an incognito/private window. Alternatively, you can also log in to two separate browsers. This is to ensure that you are still logged in to your account in case you are locked out in the other window.</div> <ol><li>Log in to IT Glue and click <strong>Account</strong> in the top navigation bar.</li> <li>Click <strong>Settings</strong> from the sidebar. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/OU39VVQB2S8L/account-settings-it-glue-copy.png" alt="Account_Settings___IT_Glue_copy.png" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Click on the <strong>Authentication</strong> tab and then turn the <strong>Enable SAML SSO</strong> toggle switch to <strong>ON</strong>. Once this is turned on, a form will appear. you will need to collect information from Duo and enter it into this form. <p><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/BGCYKQMGG9AL/untitled-2-copy.png" alt="Untitled-2_copy.png" class="embedImage-img importedEmbed-img"></img></p> <ul><li type="a">Copy the <strong>Duo Entity ID</strong> and paste it into the <strong>IT Glue Issuer URL</strong> field.</li> <li type="a">Copy the <strong>Duo Login URL</strong> and paste it into the <strong>IT Glue SAML Login Endpoint URL</strong> field.</li> <li type="a">Copy the <strong>Duo Logout URL</strong> and paste it into the <strong>IT Glue SAML Logout Endpoint URL</strong> field.</li> <li type="a">Copy the <strong>Duo SHA-1 Fingerprint</strong> and paste it into the <strong>IT Glue Fingerprint</strong> field.</li> <li type="a">Download the <strong>Duo certificate</strong> and paste it into the <strong>IT Glue Certificate</strong> field. <div> <strong>Important. </strong>Ensure there are no extra spaces trailing at the end of the Certificate string (i.e. after -----END CERTIFICATE-----).</div> </li> </ul></li> <li>Click <strong>Save</strong> to complete the setup of your account. <div> <strong>Warning.</strong> Click <strong>Save</strong> only when all information has been entered. If you turn on SSO before the information is entered, it will break the login experience for all users on your account.</div> </li> </ol><p>Once you make this change, you can test your account.</p> <p><a name="myglue" id="myglue"></a></p> <div> <h3 data-id="configuring-myglue">Configuring MyGlue</h3> <p>If you are <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.vanillacommunities.com%2Fkb%2Farticles%2Faliases%2Fitglue%2Fhc%2Fen-us%2Farticles%2F360007592878-Setting-up-single-sign-on-SSO-to-MyGlue" rel="noopener nofollow">setting up SSO for MyGlue</a>, complete <em><strong>all</strong></em> steps as instructed in this article. However, there are a few key steps in which you'll need to substitute in different values:</p> <p>Complete step 3 in the <em>Configuring Duo<strong> </strong></em>section above but use the following values instead:</p> <ul><li> <strong>Service Provider Name </strong>- MyGlue</li> <li> <strong>Entity ID</strong> - <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fapp.myglue.com">https://app.myglue.com</a></li> <li> <strong>Assertion Consumer Service </strong>- <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fapp.myglue.com%2Fsaml%2Fconsume">https://app.myglue.com/saml/consume</a></li> </ul></div> <div> <div> <p><strong>How do we disable SSO for a user? </strong></p> </div> <div> <p>To disable a user account, an Administrator or a Manager will need to navigate to the <strong><a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.vanillacommunities.com%2Fkb%2Farticles%2Faliases%2Fitglue%2Fhc%2Fen-us%2Farticles%2F360004938478">Account > Users</a></strong> page in IT Glue. We don’t currently support disabling user accounts through the SSO server.</p> </div> </div> </article> </main>