Question
What is the single sign-on certificate used for in Azure AD, and where should it be uploaded?
Answer
The single sign-on (SSO) certificate in Azure AD is primarily used for SAML request signature verification. In the context of Azure AD (Entra ID) and Everbridge integration, there are several key points to understand:
Azure/Entra ID Certificates Are Separate from Everbridge Certificates: In most configurations, Azure/Entra ID uses its own self-signed certificates for SAML token signing and does not require updates when Everbridge renews or replaces its own SSO certificate.
SAML Certificate (Token Signing Certificate): This is the primary certificate Azure/Entra ID uses for signing SAML tokens that it sends to Everbridge. It has a thumbprint that may differ from other certificates.
Verification Certificate (Optional): According to Microsoft documentation, this certificate is used for verifying the signatures of SAML requests. It is not mandatory unless your configuration specifically requires it. Although optional, it is recommended for an extra layer of security.
Everbridge Certificate Usage: The Everbridge SSO certificate is used by Everbridge for signing (and, in some designs, encrypting) SAML messages that are sent to the identity provider (IdP). Everbridge can provide a CA-signed (recommended) or self-signed certificate for this purpose as part of the Everbridge SSO configuration.
Steps to Upload the Everbridge Certificate in Azure AD
Confirm Whether Azure Uses the Everbridge Certificate: Before making changes, confirm with your IT team whether Azure is configured to use the Everbridge SSO certificate for signature validation or encryption.
Navigate to Azure AD Enterprise Applications: In the Azure portal, go to Azure Active Directory > Enterprise applications.
Select Your Application: Choose the application configured for SSO with Everbridge.
For more detailed guidance on setting up the connection, refer to the Microsoft Entra integration with Everbridge tutorial.