Topic:

Troubleshooting Single Sign-On (SSO) in Everbridge Suite.

Description:

For troubleshooting SSO issues in Everbridge, users will need:

• A current Security Assertion Markup Language (SAML) Response as specified in knowledge base article  EBS: Capturing a SAML Response When Logging Into Everbridge Suite via Single Sign-On (SSO) and
• Access to the IdP Metadata and SP (Service Provider) Metadata for the SSO configuration. For information on downloading an organization's metadata please see knowledge base article EBS: Configuring Single Sign-On (SSO) for Use With the Everbridge Manager Portal.

With a SAML response and metadata files, follow the guide below to ensure that SSO is initiated correctly.

Valid Until Date Expired

In some cases, the account metadata file will have an expiration date. Once the expiration date passes, logging in via SSO is not possible. The expiration date is listed in the metadata next to validUntil.

Update the account metadata to avoid errors. 

Encrypted SAML Responses

Everbridge can receive SAML responses that are encrypted. However, troubleshooting cannot begin with an encrypted SAML response. This is due to the encryption being stored within the IdP. As shown on the right, determine if the SAML response is encrypted by seeking the values Encrypted, Encryption, or Cipher.

When found, disable encryption from the IdP and capture an unencrypted SAML response.

SSO ID and Name ID Do Not Match

The NameID value in a SAML response must match what is stored in the Everbridge SSO User ID for the user or the contact. Keep in mind that these values are case-sensitive.

In the example below, the SAML response reveals the NameID value as eddie.everbridge@gmail.com.

The value needs to match exactly with the SSO User ID in the Everbridge user record.

To update a user's SSO user ID, follow the steps listed below:

1. Log in to the Everbridge Manager Portal and select your organization
2. Select Settings > Access > Users
3. Click the pencil icon next to the user to be edited
4. Update the SSO User ID information to match the SAML response NameID.
5. Click Save.

To update a contact's SSO user ID, follow the steps listed below:

1. Log in to the Everbridge Manager Portal and select your organization
2. Select Contacts + Assets > Contacts > Contact List
3. Click the pencil icon next to the contact to be edited
4. Update the SSO User ID information to match the SAML response NameID
5. Click Save.

If contacts or users are unable to log in via SSO after verifying their IDs match, please contact Everbridge Technical Support.

Missing or Blank Subject Node

Ensure the IdP is set up to send a Subject Node within the SAML response. As shown on the right, the subject node contains the identifier NameID and the Recipient URL.

NOTE: This only impacts accounts that set up SSO to match their SSO User ID with the value stored in the NameID in the subject statement.

Audience URL Does Not Match Entity Descriptor ID URL

The Entity Descriptor ID URL configured in an SP metadata file must match with the Audience URL in the SAML response.

Manager Portal Entity ID:
https://sso.everbridge.net/{API_NAME}

Member Portal Entity ID: 

https://sso.everbridge.net/{API Name}/{ORG ID}

As shown below, the Audience URL matches with the Entity Descriptor ID URL.

Destination & Recipient URLs Do Not Match ACS (Assertion Consumer Service) URL

The ACS URL is usually configured and found near the bottom of an SP Metadata file and should match with the Destination and Recipient URLs in a SAML response.

NOTE: This value is set in the IdP, usually in a field called Single Sign On URL.

Manager Portal Single Sign-On URL (ACS URL):

https://manager.everbridge.net/saml/SSO/{API_NAME}/alias/defaultAlias

Member Portal Single Sign-On URL (ACS URL):: 

https://member.everbridge.net/saml/SSO/{API Name}/{ORG ID}/alias/defaultAlias

As shown below, the Destination URL is found near the top of the SAML response.

The Recipient URL can be found near the bottom of the SAML response.