Updating the Everbridge Single Sign-On (SSO) Certificate FAQ

This guide provides the answers to frequently asked questions regarding updating the Everbridge Single Sign-On (SSO) certificate for the Manager Portal, Member Portal, Visual Command Center (VCC), ManageBridge, and Everbridge Mobile App.

What do I need to have prepared to update my account's SSO certificate?

Before you begin updating your account's SSO certificate, please ensure that you have done all the following.

1. Consult an IT specialist who is familiar with your IDP configuration.
2. If you are able, prepare your own break-glass credentials for Everbridge Suite (a username and password that are independent of your SSO login).
3. Communicate to all your users and contacts who use SSO that Everbridge will undergo downtime for maintenance in the time period you have decided to update your account's SSO certificate.

What is an SSO certificate?

Service providers (such as Everbridge) are required to offer SSO certificates so that IDPs (such as OneLogin, Microsoft Entra ID, Okta, etc.) can validate that their identity information is coming from a trusted source. These certificates may be included in security assertion mark-up language (SAML) metadata files, which are used to share key information with service providers.

How can I apply Everbridge's new SSO certificate in my Everbridge account?

Everbridge will provide a configuration workflow in your Everbridge Manager Portal account settings to apply the new SSO certificate. This will affect both users logging in to the Manager Portal, Visual Command Center (VCC), or the ManageBridge app and any contacts logging in to the Member Portal or the Everbridge Mobile App.

Do I need to upload Everbridge's SSO certificate to my IDP?

If your account uses SSO at all, please consult your IT team to determine whether your IDP configuration requires a certificate.

1. If your IDP configuration does NOT require an SSO certificate from Everbridge, then you only need to apply the new certificate in your Everbridge Manager Portal. 
2. If your IDP configuration DOES require an SSO certificate from Everbridge, then you need to first upload the new Everbridge SSO certificate to your IDP and subsequently apply the new certificate within the Everbridge Manager Portal.

Will users or contacts be able to log in via SSO during the certificate update process?

While you and your IT team are applying Everbridge's new SSO certificate, any users logging in to the Manager Portal, Visual Command Center (VCC), or the ManageBridge app and any contacts logging in to the Member Portal or the Everbridge Mobile App will be unable to log in via SSO. However, if they are already logged in, they will not be logged out.

Once the new SSO certificate is applied, users and contacts can resume logging in via SSO as normal.

For more information on the new Single Sign-On certificate, see knowledge article EBS: Updating the Everbridge Single Sign-On (SSO) Certificate.

Which certificate will be used when I configure new single sign-on (SSO) settings?

If you disable SSO in the Manager Portal, the Manager Portal will remember the original certificate used in the database. If you restore SSO settings in the Manager Portal after disabling them, the original certificate will be used. If you add brand-new SSO settings in the Manager Portal, the new certificate will be used.

What should I do if my session times out before I complete the update?

You can log in again and select the Update Certificate button to return to the certificate update workflow window and continue the process. If you have uploaded the new Everbridge SSO certificate to your IDP but have not selected the Apply Certificate button in the workflow, the certificate mismatch between your IDP and Everbridge’s central authentication service will prevent you from logging in via SSO, so you will have to log in to the Manager Portal using your own username and password (also known as your “breakglass” credentials).

Can I still use the current Everbridge SSO certificate after it has expired?

An expired certificate may or may not work in your IDP for signature verification and encryption. This varies by IDP. Based on our testing, some IDPs can support an expired certificate for signature verification and encryption if the certificate already existed in the IDP, but most IDPs do not support an expired certificate.

What should I do if my IDP only supports uploading metadata XML files, not the new Everbridge SSO certificate?

If your IDP only supports uploading metadata XML files, you should complete Apply Certificate in the certificate update workflow first and then download the metadata XML file from the Manager Portal as an Account Administrator in Settings > Security > Single Sign-On Certificates.

What is the file extension of the new Everbridge SSO certificate file?

The downloaded certificate file is in PEM format, which is a plain-text file in Base64 ASCII encoding with plain-text headers and footers (e.g., -----BEGIN CERTIFICATE------ and -----END CERTIFICATE-----). When you download the new certificate, its file extension might be CRT, CER, or KEY, which are common file extensions for SSO certificates.  Some old versions of Mozilla Firefox may not recognize a CRT file and append the file extension “.txt” at the end of the file name, saving the certificate as “<certificate file name>.crt.txt”. Since the certificate file will then be plain-text file, you should remove the “.txt” from the file name. Upgrading Firefox to the latest version should prevent this issue. Some IDPs may only recognize a certificate file with a specific file extension. In that case, please change the file extension accordingly.

Additional Resources

EBS: Updating the Everbridge Single Sign-On (SSO) Certificate