EBS: Everbridge Single Sign-On (SSO) Certificate Update

Note: The instructions detailed below will become available after the SSO certificate deployment windows have been completed on August 13, 2023, 9 PM PST / August 14, 2023, 12 AM EST and 4 AM UTC.

Before You Begin

  • Confirm that you have access to your identity provider (IDP). Engage your information technology (IT) team for assistance. 
  • Ensure that you can successfully log in to the Everbridge platform as an Account Administrator using your own Everbridge username and password (also known as “breakglass credentials”). 
  • Communicate this maintenance window to your team(s) in advance. Users and contacts will not be able to log in to any Everbridge application via single sign-on (SSO) during the certificate update process. 
  • Download a copy of the old certificate prior to updating in the event a rollback is needed.

Certificate Update Walkthrough

Manager Portal (Account Level)

Using single sign-on (SSO), log in to your Account Administrator user profile. Upon successful login, all Account Administrators will see a Security Alert pop-up in the upper right corner of the screen, which contains a reminder of how much time is remaining before the Everbridge SSO certificate expires. 

Selecting Learn More will redirect you to additional information relevant to the Everbridge SSO certificate update.

If you are ready to move forward with the Everbridge SSO certificate update, select the Update Now button, which will redirect you to the SSO certificate landing page.  To view this page, you can also go to Settings > Security > Single Sign-On Certificate.

This page contains both the current and new Everbridge SSO certificates, which can be downloaded by selecting the download button to the right of each certificate.  It is recommended that prior to starting you download a copy of the current certificate in the event you need to roll back the changes in your IDP.

Additionally, this page contains a list of current SSO configurations for both the Manager Portal and (if configured) the Member Portal for the account.

The Everbridge SSO certificate will need to be updated for both the Manager Portal and Member Portal configurations using the Update Certificate button next to each configuration (which are listed under the column titled API Name).

Once an Account Administrator selects Update Certificate, the below pop-up will appear.  In this example, we will demonstrate the process flow for an IDP that does NOT require the use of the Everbridge SSO Certificate. 

  1. Choose the new certificate you would like to apply from the certificate drop-down menu. We provide two types of certificates: a certificate signed by a Certificate Authority Agent (or a CA-signed certificate) with a validity period of about one year and a certificate signed by Everbridge (or a self-signed certificate) with a validity period of five years.
  2. Select your IDP from the drop-down menu (if unknown, select Other).

  1. Confirm your IDP configuration.  By checking this box, you are confirming that your IDP does NOT require the Everbridge SSO certificate. For more details on this step, hover your mouse over the help bubble. If you are still uncertain about this step, please consult your IT team for further confirmation before proceeding.
  2. If your IDP does NOT require the Everbridge SSO certificate, check the box in step 2 and proceed directly to step 5 to select the Apply Certificate button, which will apply the Everbridge SSO certificate. This will complete the process.

  1. If your IDP DOES require the Everbridge SSO certificate, then leave the confirmation box in step 2 unchecked and complete step 3. Download and update the certificate in your IDP.

  1. Once the certificate has been updated in your IDP, check the confirmation box.

  1. Select the Apply Certificate button. If at any point prior to completing step 5 the browser session times out, you can always log back in and continue the process.

Member Portal (Account Level)

You can update the SSO certificate(s) for the Member Portal at the account level following the same steps as those for the Manager Portal noted above. The screenshot below shows multiple SSO API names for Member Portal certificates. The first API Name "ssosetting" is being used for two organizations, so it is configured at the account level, while "jennifersso" is for one specific organization, so it is configured at the organization level.

 ct10.png

Updating the Member Portal SSO certificate(s) at the account level will apply to both the account level and member portal configurations. 

Member Portal (Organization Level)

For Member Portal SSO configurations at the organization level, first log in to the account, select the desired organization, and then navigate to Organization Settings > Security > Single Sign-On Certificates. An Account Administrator or Organization Administrator can update the SSO certificate following the same steps noted above.

Testing the New Everbridge SSO Certificate

  1. Once you have applied the new Everbridge SSO certificate, you are ready to test that SSO is working as expected (instructions for testing provided).
  2. Right-click on the web address in the instructions to open a new incognito browser.
  3. Follow the login process using SSO to confirm a successful login attempt.

  1. Once you have confirmed that SSO is working, select the Close button.
  2. Should SSO not work, please refer to the troubleshooting information using the link provided.

Troubleshooting Steps

  1. In the event of any issues during the certificate update, confirm that the new certificate is being used by both SP (Everbridge) and your identity provider (IDP).  
  2. Download the new Everbridge SSO certificate from your Manager Portal account in Account Settings > Security > Single Sign-On Certificates. In a text editor, compare this certificate with the certificate uploaded to your IDP.
  3. If they are different, then update the certificate in the IDP with the one configured in the Manager Portal.
  4. If the two certificates are the same and the current date is before October 17, 2023, then roll back to the old Everbridge SSO certificate (please find rollback instructions below) and start the entire process over.
  5. If the two certificates are the same and the current date is after October 17, 2023, then a rollback is no longer available. Instead, disable signature and encryption in your IDP to check if the sign-on issue is caused by the certificate.

How to Roll Back a Certificate Update

In the event of issues with the new Everbridge SSO certificate, the certificate update can be rolled back:

  1. Select Change Certificate in the Action column for the certificate that was updated.

ct200.png

  1. Once Change Certificate is selected, the following pop-up will appear. Choose the expiring certificate you previously used from the certificate drop-down menu.
  1. If your SSO update process did NOT include steps 3 and 4 under the "Manager Portal (Account Level)" section:
  1. Toggle the checkbox in step 2 "I confirm I am NOT using a certificate for either SSO request signature validation or SSO response encryption".
  2. Select the Apply Certificate button to complete the rollback.

  1. If your SSO update process included steps 3 and 4 under the "Manager Portal (Account Level)" section:
  1. Leave the confirmation box in step 2 unchecked.
  2. Complete steps 3 and 4 as part of the rollback process to select the Apply Certificate button.

  1. Once the certificate has been successfully rolled back, you will see the old certificate in use, and the Update Certificate button will have re-appeared (see below).

Frequently Asked Questions

  1. Which certificate will be used when I configure new single sign-on (SSO) settings? If you disable SSO in the Manager Portal, the Manager Portal will remember the original certificate used in the database. If you restore SSO settings in the Manager Portal after disabling them, the original certificate will be used. If you add brand-new SSO settings in the Manager Portal, the new certificate will be used.
  2. What should I do if my session times out before step 5 in the certificate update workflow? You can log in again and select the Update Certificate button to return to the certificate update workflow window and continue the process. If you have uploaded the new Everbridge SSO certificate to your IDP but have not selected the Apply Certificate button in the workflow, the certificate mismatch between your IDP and Everbridge’s central authentication service will prevent you from logging in via SSO, so you will have to log in to the Manager Portal using your own username and password (also known as your “breakglass” credentials).
  3. Can I still use the current Everbridge SSO certificate after it has expired? An expired certificate may or may not work in your IDP for signature verification and encryption. This varies by IDP. Based on our testing, some IDPs can support an expired certificate for signature verification and encryption if the certificate already existed in the IDP, but most IDPs do not support an expired certificate.
  4. What should I do if my IDP only supports uploading metadata XML files, not the new Everbridge SSO certificate? If your IDP only supports uploading metadata XML files, you should complete step 5 (Apply Certificate) in the certificate update workflow first and then download the metadata XML file from the Manager Portal in Account Settings > Security > SSO.
  5. What is the file extension of the new Everbridge SSO certificate file? The downloaded certificate file is in PEM format, which is a plain-text file in Base64 ASCII encoding with plain-text headers and footers (e.g., -----BEGIN CERTIFICATE------ and -----END CERTIFICATE-----). When you download the new certificate, its file extension might be CRT, CER, or KEY, which are common file extensions for SSO certificates.  Some old versions of Mozilla Firefox may not recognize a CRT file and append the file extension “.txt” at the end of the file name, saving the certificate as “<certificate file name>.crt.txt”. Since the certificate file will then be plain-text file, you should remove the “.txt” from the file name. Upgrading Firefox to the latest version should prevent this issue. Some IDPs may only recognize a certificate file with a specific file extension. In that case, please change the file extension accordingly.
See also knowledge base article .
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.