Topic

How to configure Single Sign-On (SSO) for an Organization with a private Everbridge Member Portal.

Description

Single Sign-On (SSO) for an organization with a private Everbridge Member Portal may be configured at the account level or at the organization level. If SSO is configured at the Account level, all organizations under that account inherit the account-level SSO configuration for their member portal. Configuring SSO at the organization level allows you to define SSO for a specific organization if SSO is not defined at the account level. If SSO is defined at the account level, configurating SSO at the organization level will override the account-level SSO settings. This document provides guidance on SSO configuration steps for both the Account level and the Organization level.

Preparation for SSO Configuration

Your Identity Provider's(IdP) metadata is a prerequisite for setting up your users' SSO. Download the metadata file from your IdP and save it as an XML file. There are two workflows available:

1. Format the Entity ID and ACS URLs before generating your metadata file using these templates:
   • Single Sign On URL (ACS URL): https://member.everbridge.net/saml/SSO/{API Name}/{ORG ID}/alias/defaultAlias
   • Entity ID https://sso.everbridge.net/{API Name}/{ORG ID}
2. Generate the metadata file without configuring the Entity ID and ACS URLs, follow the steps to configure SSO in the Manager Portal, download the updated metadata file, and upload the updated metadata file with your IdP to update the Entity ID and ACS URLs. 

Configuration Steps in the Manager Portal for the Account Level

The following steps must be completed by an Account Admin:

1. Log in to the Manager Portal as an Account Administrator.
2. Select Settings from the top menu bar.
3. Select Security from the menu on the left.
4. Select Single Sign-On for Member Portal from the sub-menu.

5. Enter a Name for your SSO instance.
6. Enter your API Name, which must exactly match what you chose for the Entity ID and Reply URLs. Note: API Names must be unique across all Organizations in the account.
7. Upload the Identity Provider Metadata file by clicking Choose File.
8. Select the appropriate radio button for the Security Hash Algorithm.
9. Select the appropriate radio button for the SAML Identity Location.
10. Select the appropriate radio button for the Service Provider initiated Request Binding.
11. Select the appropriate radio button for the Single Logout Redirector.
12. Click Save.

<

13. Check the box for Member Portal to allow SSO access via the Member Portal.
14. Optional: Check the box for Mobile App to allow SSO access via the Everbridge Mobile App, then Populate the Mobile App Key Phrase.
15. Click Save a second time to complete the set-up to Download the metadata file/s from Everbridge. Once the Download box appears to the right of the Organization Name, the configuration is complete.

Configuration Steps in the Manager Portal for the Organization Level

The following steps can be completed by an Account or Organization Admin:

1. Log in to the Manager Portal and select the appropriate Organization from the upper right-hand corner.
2. Select Settings from the top menu bar.
3. Select Security from the menu on the left.
4. Select Single Sign-On for Member Portal from the sub-menu.  
5. If your account has Single Sign-On set up for the member portal at the Account level, you may encounter a prompt to override the account Single Sign-On settings.
   1. Click the blue Override Settings button.
   2. A pop-up window will open and ask Are you sure you want to override the account Single Sign-On settings? Click the blue Confirm button.

6. Enter a Name for your SSO instance.
7. Enter your API Name, which must exactly match what you chose for the Entity ID and Reply URLs. Note: API Names must be unique across all organizations in the account.
8. Upload the Identity Provider Metadata file by clicking Choose File.
9. Select the appropriate radio button for the Security Hash Algorithm.
10. Click Save.
11. Optional: Check the box for Mobile App to allow SSO access via the Everbridge Mobile App.

12. Click Save a second time to complete the set-up and display the option to Download the metadata file from Everbridge.

Downloading Account Metadata to Upload Into the IdP

After saving, you will be able to download the metadata file. The metadata file downloaded from Everbridge will have two new entries that will be updated in the XML file: Entity ID and ACS URLs. This metadata file can now be uploaded to your IdP if needed to update the Entity ID and ACS URLs if these items were not manually configured before generating the metadata file you uploaded into Everbridge. If you already configured the Entity ID and ACS URLs in your IdP before generating your XML file, you can proceed with configuring SSO user IDs and testing the new SSO configuration.

Updating Contact Record SSO User ID

Contacts will need to have an SSO User ID associated with their contact records before they can sign in. You can view the SSO User ID in the contact profile: 

You can add or edit the SSO User ID by clicking Edit Contact Information​​​​​.

The SSO User ID value is case-sensitive and must match the value set for the user account in the IdP exactly.

Logging Into the Member Portal Using SSO

You can access the SSO Login page using the ACS URL.

The URL for this example is: https://member.everbridge.net/saml/SSO/ssomemberportal1/1234567891011/alias/defaultAlias.

Test the New SSO Configuration

Request a few users to attempt logging in via SSO.

If the users are unable to log in:

1. Capture screenshots and specific error messages.
2. Reach out to the IdP administrator to determine whether there is an error happening on the IdP side.
3. Contact Everbridge Technical Support noting the specific error received, the impacted user, the username entered upon log in, and the date/time of the failed sign-in attempt.

Related Knowledge Base Articles:

EBS: Troubleshooting Single Sign-On (SSO) in Everbridge Suite
EBS: Single Sign-on (SSO) ​​​​​​​Unauthorized Access Error When Logging in to the Everbridge Manager or Member Portals

Download the XML for Record Keeping

If the reconfiguration was successful, download the XML file used to create this new SSO configuration for record keeping and follow the steps below:

1. Log in to the Manager Portal as an Account Administrator or Organization Admin.
2. Click the Settings tab from the top of the page.
3. Select  Security from the drop-down menu on the left.
4. Select Single Sign-On for Member Portal from the drop-down.
5. Scroll to the bottom of the configuration settings and click the Download link and save the XML file. (Note: If you have not configured SSO for the Member Portal, there will be no Download link.)