IT Glue

NOTE: IT Glue appears to accept sha1 x.509 certs. Please be aware of this. If the SSO failed and the error displayed on IT Glue states "Invalid Signature on SAML Response", follow these steps to fix it.

  1. Navigate to https://developers.onelogin.com/saml/online-tools/x509-certs/calculate-fingerprint.
  2. Open the downloaded certificate in a text editor to copy the content, then paste it into the textbox of the above link. Select SHA-1 in the Algorithm drop-down menu.
  3. Click the CALCULATE FINGERPRINT button.
  4. Copy this output to your Account > Authentication > Fingerprint field.
  5. Save Changes.



1. Getting Started

We first need to gather the required information needed to implement Evo as the SSO manager here. Since IT Glue uses an older SAML integration setup with a more manual process, we'll have to gather this information in a different way. Follow these steps to gather the required SAML information:

  1. Log into your Evo Account
  2. Select your Tenant ---> Integrations 
  3. Select the generic SAML Web App
  4. You will be shown the information needed


After gathering the SSO information in Evo, return to your IT Glue environment (yourenvironment.itglue.com), navigate to Account > Settings > Authentication, enable SAML SSO, and paste the following identity provider data in to IT Glue.

NOTE: Be sure you have the user(s) created in both IT Glue and Evo before configuring SSO, as it will not work with non-existent users.

  • Issuer URL - The URL that uniquely identifies your SAML identity provider. Also called: Issuer, Identity Provider, Entity ID, IdP, IdP Metadata URL.
    • By default, this is the same as the Sign-In URL
    • It can also be found in the Metadata
  • SAML Login Endpoint URL - The SAML login endpoint URL of the SAML server. IT Glue redirects to this URL for SSO if a session isn't already established. Also called: Sign-on URL, Remote login URL, SSO URL, SSO Endpoint, SAML 2.0 URL, Identity Provider Sign-in URL, IdP Login URL, Single Sign-On Service URL.
  • SAML Logout Endpoint URL - A URL where IT Glue can redirect users after they sign out of IT Glue. Also called: SLO Endpoint, SAML Logout URL, Trusted URL, Identity Provider Sign-out URL, Single Sign-Out Service URL.
  • Fingerprint - The appropriate value based on the information provided by your identity provider. Also called: Thumbprint.
  • Certificate - The authentication certificate issued by your identity provider (a base-64 encoded X.509 certificate). Be sure to include the entire certificate, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE------. Also called: Public Certificate, X.509 Certificate.
    • In order to Copy/Paste the Certificate as it's a .crt file, you'll need to open it in a text editor. Some free ones to use are Typora or Atom. Be sure to copy/paste the entire thing.


Once this is complete, hit save to save these changes.


2. Testing the SSO

Now we will test to make sure this works. If it fails, do not worry, IT Glue will allow you to sign-in using your IT Glue credentials and display an error message of what went wrong to help debug the EVO SSO.

  1. In a new browser window, head to your IT glue environment (yourenvironment.itglue.com).
  2. You should now be prompted to enter your Evo Security credentials.
  3. Upon successfully entering your credentials, you'll be redirected back to IT Glue and signed in!


If these steps do not work, there may be two additional steps you will need to enable in order for this to complete successfully. 

There’s a new portion that has been added to the ITGlue authentication page and it may be tied into how our authentication works through EVO. I’ll break it into two sections:

 

  1. Before the ITGlue integration was allowed me to do anything or make any changes on my ITGlue test account, I needed to enable MFA for my personal user. You may need to do the same on your account. This can be found under My Account > My Settings. I’ve attached a screenshot. *NOTE* - The Evo Mobile App does not accept this token. But for now, you can use any other like Google Authenticator.



2. The next option we must select is under Account > Authentication. It’s the new “Require MFA for access to this account” checkbox. Make sure that is enabled. I’ve attached a screenshot.