Topic
Updating the Everbridge Single Sign-On (SSO) certificate.
Description
The Everbridge Single Sign-On (SSO) expires annually. Once the expiration date draws near, Everbridge Account Administrators will see a message similar to the below when they log in to the Manager Portal. This message alerts administrators to how many days they have before they will need to update the SSO certificate. Below are the steps necessary for administrators and your IT team to take to update your SSO certificate. This applies to the Manager Portal, Member Portal, Visual Command Center (VCC), ManageBridge, and the Everbridge Mobile App. Users will be unable to log in to any of these portals via SSO until the certificate has been properly updated.
Before You Begin
- Confirm that you have access to your identity provider (IDP). Engage your information technology (IT) team for assistance.
- Ensure that you can successfully log in to the Everbridge platform as an Account Administrator using your own Everbridge username and password (also known as “breakglass credentials”).
- Communicate this maintenance window to your team(s) in advance. Users and contacts will not be able to log in to any Everbridge application via single sign-on (SSO) during the certificate update process.
- Download a copy of the old certificate prior to updating in the event a rollback is needed.
Certificate Update Walkthrough
Manager Portal (Account Level)
Using single sign-on (SSO), log in to your Account Administrator user profile. Upon successful login, all Account Administrators will see a Security Alert pop-up in the upper right corner of the screen, which contains a reminder of how much time is remaining before the Everbridge SSO certificate expires.
Selecting Learn More will redirect you to additional information relevant to the Everbridge SSO certificate update.
If you are ready to move forward with the Everbridge SSO certificate update, select the Update Now button, which will redirect you to the SSO certificate landing page. To view this page, you can also go to Settings > Security > Single Sign-On Certificates.
This page contains both the current and new Everbridge SSO certificates, which can be downloaded by selecting the download button to the right of each certificate. It is recommended that prior to starting you download a copy of the current certificate in the event you need to roll back the changes in your IDP.
Additionally, this page contains a list of current SSO configurations for both the Manager Portal and (if configured) the Member Portal for the account.
The Everbridge SSO certificate will need to be updated for both the Manager Portal and Member Portal configurations using the Update Certificate button next to each configuration (which are listed under the column titled API Name).
Once an Account Administrator selects Update Certificate, the below pop-up will appear. In this example, we will demonstrate the process flow for an IDP that does NOT require the use of the Everbridge SSO Certificate.
- Choose the new certificate you would like to apply from the certificate drop-down menu. We provide two types of certificates: a certificate signed by a Certificate Authority Agent (or a CA-signed certificate) with a validity period of about one year and a certificate signed by Everbridge (or a self-signed certificate) with a validity period of five years.
- Select your IDP from the drop-down menu (if unknown, select Other).
- Confirm your IDP configuration. By checking this box, you are confirming that your IDP does NOT require the Everbridge SSO certificate. For more details on this step, hover your mouse over the help bubble. If you are still uncertain about this step, please consult your IT team for further confirmation before proceeding.
- If your IDP does NOT require the Everbridge SSO certificate, check the box in step 2 and proceed directly to step 5 to select the Apply Certificate button, which will apply the Everbridge SSO certificate. This will complete the process.
- If your IDP DOES require the Everbridge SSO certificate, then leave the confirmation box in step 2 unchecked and complete step 3. Download and update the certificate in your IDP.
- Once the certificate has been updated in your IDP, check the confirmation box.
- Select the Apply Certificate button. If at any point prior to completing step 5 the browser session times out, you can always log back in and continue the process.
Member Portal (Account Level)
You can update the SSO certificate(s) for the Member Portal at the account level following the same steps as those for the Manager Portal noted above. The screenshot below shows multiple SSO API names for Member Portal certificates. The first API Name "ssosetting" is being used for two organizations, so it is configured at the account level, while "jennifersso" is for one specific organization, so it is configured at the organization level.
Updating the Member Portal SSO certificate(s) at the account level will apply to both the account level and member portal configurations.
Member Portal (Organization Level)
For Member Portal SSO configurations at the organization level, first log in to the account, select the desired organization, and then navigate to Settings > Organization > Security > Single Sign-On Certificates. An Account Administrator or Organization Administrator can update the SSO certificate following the same steps noted above.
Testing the New Everbridge SSO Certificate
- Once you have applied the new Everbridge SSO certificate, you are ready to test that SSO is working as expected (instructions for testing provided).
- Right-click on the web address in the instructions to open a new incognito browser.
- Follow the login process using SSO to confirm a successful login attempt.
- Once you have confirmed that SSO is working, select the Close button.
- Should SSO not work, please refer to the troubleshooting information using the link provided.
Troubleshooting Steps
- In the event of any issues during the certificate update, confirm that the new certificate is being used by both SP (Everbridge) and your identity provider (IDP).
- Download the new Everbridge SSO certificate from your Manager Portal account in Settings > Security > Single Sign-On Certificates. In a text editor, compare this certificate with the certificate uploaded to your IDP.
- If they are different, then update the certificate in the IDP with the one configured in the Manager Portal.
- If the two certificates are the same and the current date is before October 17, 2023, then roll back to the old Everbridge SSO certificate (please find rollback instructions below) and start the entire process over.
- If the two certificates are the same and the current date is after October 17, 2023, then a rollback is no longer available. Instead, disable signature and encryption in your IDP to check if the sign-on issue is caused by the certificate.
How to Roll Back a Certificate Update
In the event of issues with the new Everbridge SSO certificate, the certificate update can be rolled back:
- Select Change Certificate in the Action column for the certificate that was updated.
- Once Change Certificate is selected, the following pop-up will appear. Choose the expiring certificate you previously used from the certificate drop-down menu.
- If your SSO update process did NOT include steps 3 and 4 under the "Manager Portal (Account Level)" section:
- Toggle the checkbox in step 2 "I confirm I am NOT using a certificate for either SSO request signature validation or SSO response encryption".
- Select the Apply Certificate button to complete the rollback.
- If your SSO update process included steps 3 and 4 under the "Manager Portal (Account Level)" section:
- Leave the confirmation box in step 2 unchecked.
- Complete steps 3 and 4 as part of the rollback process to select the Apply Certificate button.
- Once the certificate has been successfully rolled back, you will see the old certificate in use, and the Update Certificate button will have re-appeared (see below).
Additional Resources
EBS: Updating the Everbridge Single Sign-On (SSO) Certificate FAQ.
Article Feedback
While we can’t respond to you directly, we’d love to know how we can improve the article.
Please sign in to leave a comment.