EBS: Troubleshooting Single Sign-On (SSO) in Everbridge Suite

Updated October 18, 2024 21:45

Diane McCoy

Topic

Troubleshooting Single Sign-On (SSO) in Everbridge Suite.

Description

For troubleshooting SSO issues in Everbridge, Users will need:

A current Security Assertion Markup Language (SAML) Response as specified in knowledge article EBS: Capturing a SAML Response When Logging Into Everbridge Suite via Single Sign-On (SSO) and
Access to the IdP Metadata and SP (Service Provider) Metadata for the SSO configuration. For information on downloading an Organization's metadata see knowledge article EBS: Configuring Single Sign-On (SSO) for Use With the Everbridge Manager Portal.

With a SAML response and metadata files, follow the guide below to ensure that SSO is initiated correctly.

Valid Until Date Expired

In some cases, the Account metadata file will have an expiration date. Once the expiration date passes, logging in via SSO is not possible. The expiration date is listed in the metadata next to validUntil.

Update the Account metadata to avoid errors.

Encrypted SAML Responses

Everbridge can receive SAML responses that are encrypted. However, troubleshooting cannot begin with an encrypted SAML response. This is due to the encryption being stored within the IdP. As shown on the right, determine if the SAML response is encrypted by seeking the values Encrypted, Encryption, or Cipher.

When found, disable encryption from the IdP and capture an unencrypted SAML response.

Encrypted SAML Response

SSO ID and Name ID Do Not Match

The NameID value in a SAML response must match what is stored in the Everbridge SSO User ID for the user or the contact. Keep in mind that these values are case-sensitive.

In the example below, the SAML response reveals the NameID value as eddie.everbridge@gmail.com.

SAML Response Name ID

The value needs to match exactly with the SSO User ID in the Everbridge user record.

To update a user's SSO user ID, follow the steps listed below:

Log in to the Everbridge Manager Portal and select your organization
Select Settings > Access > Users
Click the pencil icon next to the user to be edited
Update the SSO User ID information to match the SAML response NameID.
Click Save.

To update a Contact's SSO user ID, follow the steps listed below:

Log in to the Everbridge Manager Portal and select your Organization
Select Contacts + Assets > Contacts > Contact List
Click the pencil icon next to the Contact to be edited
Update the SSO User ID information to match the SAML response NameID
Click Save.

If Contacts or Users are unable to log in via SSO after verifying their IDs match, please contact Everbridge Technical Support.

SSO ID Not Automatically Updated with Email Changes

When an employee's email address is updated, the associated SSO User ID does not automatically update to match the new email address. To resolve this issue:

The Account Administrator must manually update the SSO User ID to match the new email address.
Users cannot update their own SSO User IDs, as this functionality is not available in the Member Portal.
The Account Administrator can update the SSO User IDs either through the Manager Portal (as described in the steps above) or by uploading a Contact list with the updated information.

Missing or Blank Subject Node

Ensure the IdP is set up to send a Subject Node within the SAML response. As shown on the right, the subject node contains the identifier NameID and the Recipient URL.

NOTE: This only impacts accounts that set up SSO to match their SSO User ID with the value stored in the NameID in the subject statement.

Audience URL Does Not Match Entity Descriptor ID URL

The Entity Descriptor ID URL configured in an SP metadata file must match with the Audience URL in the SAML response.

Manager Portal Entity ID:
https://sso.everbridge.net/{API_NAME}

Member Portal Entity ID:

https://sso.everbridge.net/{API Name}/{ORG ID}

SP Metadata Entity ID

As shown below, the Audience URL matches with the Entity Descriptor ID URL.

SAML Response Audience ID

Destination & Recipient URLs Do Not Match ACS (Assertion Consumer Service) URL

The ACS URL is usually configured and found near the bottom of an SP Metadata file and should match with the Destination and Recipient URLs in a SAML response.

NOTE: This value is set in the IdP, usually in a field called Single Sign On URL.

Manager Portal Single Sign-On URL (ACS URL):

https://manager.everbridge.net/saml/SSO/{API_NAME}/alias/defaultAlias

Member Portal Single Sign-On URL (ACS URL)::

https://member.everbridge.net/saml/SSO/{API Name}/{ORG ID}/alias/defaultAlias

ACS URL

As shown below, the Destination URL is found near the top of the SAML response.

SAML Response Destination URL

The Recipient URL can be found near the bottom of the SAML response.

SAML Response Recipient URL

Article Feedback

While we can’t respond to you directly, we’d love to know how we can improve the article.

Please sign in to leave a comment.