Topic:

Tips and considerations when using Single Sign-On (SSO) in Everbridge Suite.

Description:

The purpose of this document is to provide a few simple tips and considerations when configuring Single Sign-On (SSO).

• SSO User IDs are ALWAYS case sensitive.  How this information is entered in your IdP Provider may not be what Users are used to.
• NameID: The NameID value in a SAML response must match the Everbridge SSO User ID.
• Single Sign-On URLs (same as ACS URL) are always formatted the same*:

Manager Portal Single Sign-On URL (ACS URL):
https://manager.everbridge.net/saml/SSO/{API_NAME}/alias/defaultAlias
Member Portal Single Sign-On URL (ACS URL):
https://member.everbridge.net/saml/SSO/{API_Name}/{ORG_ID}/alias/defaultAlias

• Entity ID URLs: 

Manager Portal Entity ID:
https://sso.everbridge.net/{API_NAME}
Member Portal Entity ID:
https://sso.everbridge.net/{API_Name}/{ORG_ID}

• SAML Identity Location: For the SAML Identity Location Everbridge recommends using the "Identity is in the Nameldentifier element of the Subject statement" option as opposed to an attribute as the attribute is typically not what you think it is.  For example, you might think it is an e-mail address, but in your Identity Provider, it is something completely different.
• Entity ID is found in your Everbridge SP metadata.
• SAML Tracer: Everbridge recommends you use a SAML Tracer (a Chrome extension) to trace your SAML responses when testing your configuration, regardless of how User Login is initiated.
• User Login: In determining which User Login workflow to choose, Service Provider Initiated or IdP Initiated, it is dependent on what your IdP Provider supports (e.g. does it have an actual login page?).  Another consideration is what your users would prefer.
• Break Glass: Once SSO is configured, users can still register to create an Everbridge Username and Password for login in the event you experience an internal issue with your SSO.  This is referred to as a “Break Glass” procedure.