1. Everbridge
  2. Knowledge
  3. Single Sign-On (SSO)
  4. Configuration

EBS: Updating the Everbridge Single Sign-On (SSO) Certificate FAQ

Updated
Terry Branoff
Optimized Resolution Standard Resolution High Resolution

Updating the Everbridge Single Sign-On (SSO) Certificate FAQ

This guide provides the answers to frequently asked questions regarding updating the Everbridge Single Sign-On (SSO) certificate for the Manager Portal, Member Portal, Visual Command Center (VCC), ManageBridge, and Everbridge Mobile App.

What do I need to have prepared to update my account's SSO certificate?

Before you begin updating your account's SSO certificate, please ensure that you have done all the following.

  1. Consult an IT specialist who is familiar with your IDP configuration.

  2. If you are able, prepare your own break-glass credentials for Everbridge Suite (a username and password that are independent of your SSO login).

  3. Communicate to all your users and contacts who use SSO that Everbridge will undergo downtime for maintenance in the time period you have decided to update your account's SSO certificate.

What is an SSO certificate?

Service providers (such as Everbridge) are required to offer SSO certificates so that IDPs (such as OneLogin, Microsoft Entra ID, Okta, etc.) can validate that their identity information is coming from a trusted source. These certificates may be included in security assertion mark-up language (SAML) metadata files, which are used to share key information with service providers.

How can I apply Everbridge's new SSO certificate in my Everbridge account?

Everbridge will provide a configuration workflow in your Everbridge Manager Portal account settings to apply the new SSO certificate. This will affect both users logging in to the Manager Portal, Visual Command Center (VCC), or the ManageBridge app and any contacts logging in to the Member Portal or the Everbridge Mobile App.

Do I need to upload Everbridge's SSO certificate to my IDP?

If your account uses SSO at all, please consult your IT team to determine whether your IDP configuration requires a certificate.

  1. If your IDP configuration does NOT require an SSO certificate from Everbridge, then you only need to apply the new certificate in your Everbridge Manager Portal.

  2. If your IDP configuration DOES require an SSO certificate from Everbridge, then you need to first upload the new Everbridge SSO certificate to your IDP and subsequently apply the new certificate within the Everbridge Manager Portal.

What happens if I don't update my Everbridge SSO certificate by the expiration date?

If the SSO certificate is not updated by the expiration date, users and contacts may experience issues with their SSO login. This could potentially disrupt access to Everbridge Manager or Member portals, preventing your organization from using the platform effectively.

Who can update the SSO certificate in Everbridge?

To update the SSO certificate in Everbridge, you must be logged in as an Account administrator at the Account level, not just an Organization administrator. If you only have Organization-level access, you'll need to contact your internal Account administrator to complete the certificate update process.

How long does the SSO certificate update process take?

The entire SSO certificate update process should take no more than a couple minutes. For customers not using Everbridge SSO certificates, it primarily involves checking a checkbox to confirm their current configuration.

How long is the window for renewing an Everbridge SSO certificate?

Everbridge typically makes the new SSO certificate available approximately two months prior to the current certificate's expiration date. It's recommended to renew the certificate before it expires to avoid single sign-on downtime.

What are the potential risks when updating SSO certificates?

When updating SSO certificates, there are potential risks of downtime or authentication errors. If you delete the existing certificate without proper coordination, you may introduce signature errors that will prevent authentication until the request is approved by the authentication team.

Will users or contacts be able to log in via SSO during the certificate update process?

While you and your IT team are applying Everbridge's new SSO certificate, any users logging in to the Manager Portal, Visual Command Center (VCC), or the ManageBridge app and any contacts logging in to the Member Portal or the Everbridge Mobile App will be unable to log in via SSO. However, if they are already logged in, they will not be logged out.

Once the new SSO certificate is applied, users and contacts can resume logging in via SSO as normal.

How can I minimize downtime when renewing or replacing an SSO (SAML) certificate?

Coordinate the certificate change with your IT team and your Everbridge contact or representative, and schedule the change during a planned maintenance window to reduce user impact. Make sure the new certificate or federation metadata from your IdP is installed correctly in both your IdP and the Everbridge Manager Portal so SAML settings take effect without unexpected interruptions. Everbridge also recommends avoiding certificate pinning in custom applications, as certificates may be rotated and pinning can cause connection failures when certificates change.

For more information on the new Single Sign-On certificate, see knowledge article EBS: Updating the Everbridge Single Sign-On (SSO) Certificate.

Which certificate will be used when I configure new single sign-on (SSO) settings?

If you disable SSO in the Manager Portal, the Manager Portal will remember the original certificate used in the database. If you restore SSO settings in the Manager Portal after disabling them, the original certificate will be used. If you add brand-new SSO settings in the Manager Portal, the new certificate will be used.

What should I do if my session times out before I complete the update?

You can log in again and select the Update Certificate button to return to the certificate update workflow window and continue the process. If you have uploaded the new Everbridge SSO certificate to your IdP but have not selected the Apply Certificate button in the workflow, the certificate mismatch between your IdP and Everbridge's central authentication service will prevent you from logging in via SSO, so you will have to log in to the Manager Portal using your own username and password (also known as your "break glass" credentials).

Can I still use the current Everbridge SSO certificate after it has expired?

An expired certificate may or may not work in your IDP for signature verification and encryption. This varies by IDP. Based on our testing, some IDPs can support an expired certificate for signature verification and encryption if the certificate already existed in the IDP, but most IDPs do not support an expired certificate.

What should I do if my IDP only supports uploading metadata XML files, not the new Everbridge SSO certificate?

If your IDP only supports uploading metadata XML files, you should complete Apply Certificate in the certificate update workflow first and then download the metadata XML file from the Manager Portal as an Account Administrator in Settings > Security > Single Sign-On Certificates. You can then upload that metadata XML file into your IDP.

What is the file extension of the new Everbridge SSO certificate file?

The downloaded certificate file is in PEM format, which is a plain-text file in Base64 ASCII encoding with plain-text headers and footers (for example, -----BEGIN CERTIFICATE------ and -----END CERTIFICATE-----). When you download the new certificate, its file extension might be CRT, CER, or KEY, which are common file extensions for SSO certificates. Everbridge supports X.509 certificates in PEM‑encoded, DER‑encoded, and CER‑encoded file formats.

Some old versions of Mozilla Firefox may not recognize a CRT file and append the file extension .txt at the end of the file name, saving the certificate as <certificate file name>.crt.txt. Since the certificate file will then be a plain-text file, you should remove the .txt from the file name. Upgrading Firefox to the latest version should prevent this issue.

Some IDPs may only recognize a certificate file with a specific file extension. In that case, please change the file extension accordingly (for example, from .crt to .cer) without altering the contents of the file.

Where can I see which SSO certificate Everbridge is using and whether it is used for signature validation or response encryption?

To see which certificate Everbridge is currently using, log in as an Account Administrator and go to Settings > Security > Single Sign-On Certificates in the Manager Portal (and, if applicable, the Member Portal). The configuration screen shows which certificate is in use and whether Everbridge is configured to use a certificate for SSO request signature validation and/or SSO response encryption.

What should I do after Everbridge updates my SSO certificate on my behalf?

After Everbridge updates your SSO certificate as part of a scheduled change, log in to your organization's Everbridge account (for example, *.everbridge.net or *.everbridge.eu) and verify that SSO works as expected for both Manager and Member portals. If you encounter SSO login issues, your IT team or IdP administrator may need to update the SSO certificate or metadata in your IdP. For additional help, contact Everbridge Technical Support at support@everbridge.com.

What should I do if I can't log in to the Everbridge Manager Portal using SSO or am not receiving alerts visible in the dashboard?

If you are experiencing issues logging in to the Everbridge Manager Portal using SSO or not receiving alerts that are visible in the dashboard, follow these steps:

  1. Work with your organization's IT team to update the SSO certificate if needed.

  2. Check your Contacts account settings to ensure you are subscribed to receive the relevant alerts.

  3. Explore the map view in the Manager or User Portal to visualize open incidents.

How do I remove an SSO certificate from the Everbridge Manager Portal when the checkbox is greyed out?

If you need to remove an SSO certificate from the Everbridge Manager Portal and the checkbox to indicate you are not using a certificate is greyed out, follow these steps:

  1. Go to the Single Sign-On Certificates tab in the Manager Portal.

  2. Select Change certificate.

  3. Choose a different certificate from the dropdown menu.

  4. After you change the selection, the checkbox to confirm that you are not using a certificate for SSO request signature validation or response encryption will become available.

  5. You can then uncheck or check the appropriate options and proceed to remove or stop using the certificate as needed.

How do I identify if my Everbridge SSO certificate is about to expire?

Log in to the Everbridge Manager Portal as an Account Administrator and go to Settings > Security > Single Sign-On Certificates to review the certificate details, including expiration dates. If your account uses the Member Portal, also review the same configuration there. It is recommended to cross-reference the certificate details in both your Everbridge settings and your identity provider's system to confirm whether you are actively using the Everbridge certificate for SSO request signature validation and/or response encryption.

Additional Resources

EBS: Updating the Everbridge Single Sign-On (SSO) Certificate

Was this article helpful?
0 out of 0 found this helpful