EBS: Tips and Considerations When Using Single Sign-On (SSO) in Everbridge Suite

Topic

Tips and considerations when using Single Sign-On (SSO) in Everbridge Suite.

Description

The purpose of this document is to provide a few simple tips and considerations when configuring Single Sign-On (SSO).

  • SSO User IDs are ALWAYS case sensitive. How this information is entered in your IdP Provider may not be what Users are used to.

  • NameID: The NameID value in a SAML response must match the Everbridge SSO User ID.

  • Single Sign-On URLs (same as ACS URL) are always formatted the same*:

Manager Portal Single Sign-On URL (ACS URL):
https://manager.everbridge.net/saml/SSO/{API_NAME}/alias/defaultAlias
Member Portal Single Sign-On URL (ACS URL):
https://member.everbridge.net/saml/SSO/{API_Name}/{ORG_ID}/alias/defaultAlias

  • Entity ID URLs:

Manager Portal Entity ID:
https://sso.everbridge.net/{API_NAME}
Member Portal Entity ID:
https://sso.everbridge.net/{API_Name}/{ORG_ID}

  • SAML Identity Location: For the SAML Identity Location Everbridge recommends using the "Identity is in the Nameldentifier element of the Subject statement" option as opposed to an attribute as the attribute is typically not what you think it is. For example, you might think it is an e-mail address, but in your Identity Provider, it is something completely different.

  • Entity ID is found in your Everbridge SP metadata.

  • SAML Tracer: Everbridge recommends you use a SAML Tracer (a Chrome extension) to trace your SAML responses when testing your configuration, regardless of how User Login is initiated.

  • User Login: In determining which User Login workflow to choose, Service Provider Initiated or IdP Initiated, it is dependent on what your IdP Provider supports (e.g. does it have an actual login page?). Another consideration is what your users would prefer.

  • Break Glass: Once SSO is configured, users can still register to create an Everbridge Username and Password for login in the event you experience an internal issue with your SSO. This is referred to as a "Break Glass" procedure.

  • ADFS Configuration: When using ADFS for SSO, ensure that the email attribute used for the SAML identity is in all lowercase on the ADFS side. This should match the email used for the SSO user ID on the Everbridge side. If you encounter an 'Unauthorized Access' error, create a transformation in ADFS to set the value for the Attribute named Email to be all lowercase.

Was this article helpful?
0 out of 0 found this helpful

Article Feedback


While we can’t respond to you directly, we’d love to know how we can improve the article.

Please sign in to leave a comment.