Topic

How to set up your mobile phone browser to log into the Everbridge Mobile App (EMA) via Single Sign-On (SSO).

Description

Please note the changes described in this article are optional only. You may continue to use the EMA (webview mode) for SSO authentication.

What Is the Change?

To keep up with industry best practices for SSO authentication in mobile apps, the IdP URL of the SSO provider (e.g., Microsoft Entra ID, Okta, OneLogin, etc.) will be displayed in your mobile browser during authentication instead of within the app (webview mode).

Why Make This Change?

Mobile app authorization requests via browser provide enhanced security as compared to embedded user agents within the app. Browser also provides additional advantages such as ability to use the SSO session that is centrally located and additional security in the context of authentication within the browser that is separate from the app. All leading SSO vendors are focused on enhancing policies for browser based workflows to prevent unauthorized access.

How Does the Change Impact You?

For customers that have controls configured to restrict authentication or browsing through mobile browser via MDM/MAM or SSO configuration may have to update their policies to allow Contacts to authenticate through mobile browser when the request originates from the Everbridge mobile app. The controls that can be applied to restrict browsing in mobile browsers varies from one provider to another.

MDM/MAM

Here are a few examples of the policies that can be applied via Microsoft Intune. Please reach out to your MDM/MAM provider to know more about the equivalent setting within your provider's configurations.

1. List of allowed URLs
   1. App configuration policy via Managed devices

Add the following to the list of allowed URLs within browsers to the Configuration key, Define a list of allowed URLs:

["https://member.everbridge.eu","https://member.everbridge.net","https://idp.eb-tools.com","edge://policy","ebmobile://","ssoebmobile://","everbridge://" ]

2. App configuration policy via Managed apps

Add the following to the list of Allowed URLs within browsers:

["https://member.everbridge.eu","https://member.everbridge.net","https://idp.eb-tools.com","edge://policy","ebmobile://","ssoebmobile://","everbridge://" ]

2. Allow cookies

Set the Configuration Value of the Configuration key, Allow cookies on specific sites to:

["https://member.everbridge.eu","https://member.everbridge.net","https://idp.eb-tools.com","edge://policy","ebmobile://","ssoebmobile://","everbridge://" ]

 

3. Disable context sharing between personal and work profile

Set the Redirect restricted sites to personal context setting in the Managed Apps configuration policy to Disable:

 

4. Add the schemes of the Everbridge mobile app (EMA) to the list of exempt apps in app protection policy for any browser (Edge, Chrome, etc.)

Under Edit policy, choose Select next to Select apps to exempt. The Select apps to exempt option allows redirection back to the app after successful authentication.
Under Exempt Apps, add the following Names and Values:

 

SSO Provider

Here is an example of a policy that can be applied via Microsoft Entra ID SSO to restrict authentication in mobile browser. Please note that Everbridge does not endorse any particular thrid-party tool or IdP software. This is provided simply as an example. The concepts should be similar regardless of your specific IdP. Please reach out to your SSO IdP to determine the equivalent settings required for your IdP.

If Use Conditional Access App Control is enabled in Microsoft Defender for Cloud Apps, then the SSO Administrators must make necessary updates to allow the Everbridge mobile app to authenticate in mobile browser and enable the redirection back to the Everbridge mobile app on successful authentication. The list of URLs to be permit listed (if applicable) - 

["https://member.everbridge.eu","https://member.everbridge.net","https://idp.eb-tools.com","edge://policy","ebmobile://","ssoebmobile://","everbridge://" ]

 

 

Are there any restrictions on the list of mobile browsers that are supported for browser-based authentication?

The list of recommended browsers are available in knowledge base article EBS: System Requirements for Everbridge Suite, Everbridge Mobile Apps, and Visual Command Center.

The IdP URL of the SSO provider will be displayed in the default mobile browser. During the redirection from the mobile app for SSO authentication user flow, the Everbridge application does not choose the browser in which the IdP URL of the SSO provider must be displayed, instead the IdP URL is displayed in the default browser that is configured for the respective device.

Will Contacts Have to Re-Enter Credentials if an SSO Session Is Active in the Browser?

No, the contact will not have to re-enter credentials if the single sign on session is active in the browser. In this case, the user flow will be as follows: Search for the org > select the org > contact will be routed to the browser since there is active SSO session > contact will be redirected back to the Everbridge mobile app.

How Will This Change Affect Contacts That Are Already Logged in to the App?

Existing user sessions will not be impacted. Contacts will experience the new user flow for authentication through the mobile browser only during new login attempts.

Does This Change Affect the SSO Authentication in the Managebridge App?

The SSO authentication in the ManageBridge app has been via the mobile browser since October 2021.