EBS: Troubleshooting Single Sign-On (SSO) in Everbridge Suite

Topic:

Troubleshooting Single Sign-On (SSO) in Everbridge Suite.

Description:

For troubleshooting SSO issues in Everbridge, users will need:

With a SAML response and metadata files, follow the guide below to ensure that SSO is initiated correctly.

Valid Until Date Expired

In some cases, the account metadata file will have an expiration date. Once the expiration date passes, logging in via SSO is not possible. The expiration date is listed in the metadata next to validUntil.

Update the account metadata to avoid errors. 

Encrypted SAML Responses

Everbridge can receive SAML responses that are encrypted. However, troubleshooting cannot begin with an encrypted SAML response. This is due to the encryption being stored within the IdP. As shown on the right, determine if the SAML response is encrypted by seeking the values Encrypted, Encryption, or Cipher.

When found, disable encryption from the IdP and capture an unencrypted SAML response.

Encrypted SAML Response

SSO ID and Name ID Do Not Match

The NameID value in a SAML response must match what is stored in the Everbridge SSO User ID for the user or the contact. Keep in mind that these values are case-sensitive.

In the example below, the SAML response reveals the NameID value as eddie.everbridge@gmail.com.

SAML Response Name ID

The value needs to match exactly with the SSO User ID in the Everbridge user record.

To update a user's SSO user ID, follow the steps listed below:

  1. Log in to the Everbridge Manager Portal and select your organization
  2. Select Settings > Access > Users
  3. Click the pencil icon next to the user to be edited
  4. Update the SSO User ID information to match the SAML response NameID.
  5. Click Save.

eddie2.png

To update a contact's SSO user ID, follow the steps listed below:

  1. Log in to the Everbridge Manager Portal and select your organization
  2. Select Contacts + Assets > Contacts > Contact List
  3. Click the pencil icon next to the contact to be edited
  4. Update the SSO User ID information to match the SAML response NameID
  5. Click Save.

eddie3.png

If contacts or users are unable to log in via SSO after verifying their IDs match, please contact Everbridge Technical Support.

Missing or Blank Subject Node

Ensure the IdP is set up to send a Subject Node within the SAML response. As shown on the right, the subject node contains the identifier NameID and the Recipient URL.

NOTE: This only impacts accounts that set up SSO to match their SSO User ID with the value stored in the NameID in the subject statement.

Audience URL Does Not Match Entity Descriptor ID URL

The Entity Descriptor ID URL configured in an SP metadata file must match with the Audience URL in the SAML response.

Manager Portal Entity ID:
https://sso.everbridge.net/{API_NAME}

Member Portal Entity ID: 

https://sso.everbridge.net/{API Name}/{ORG ID}

SP Metadata Entity ID

As shown below, the Audience URL matches with the Entity Descriptor ID URL.

SAML Response Audience ID

Destination & Recipient URLs Do Not Match ACS (Assertion Consumer Service) URL

The ACS URL is usually configured and found near the bottom of an SP Metadata file and should match with the Destination and Recipient URLs in a SAML response.

NOTE: This value is set in the IdP, usually in a field called Single Sign On URL.

Manager Portal Single Sign-On URL (ACS URL):

https://manager.everbridge.net/saml/SSO/{API_NAME}/alias/defaultAlias

Member Portal Single Sign-On URL (ACS URL):: 

https://member.everbridge.net/saml/SSO/{API Name}/{ORG ID}/alias/defaultAlias

ACS URL

As shown below, the Destination URL is found near the top of the SAML response.

SAML Response Destination URL

The Recipient URL can be found near the bottom of the SAML response.

SAML Response Recipient URL

 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.