Topic
Single Sign-On (SSO) terms and definitions.
Description
Below is a table of commonly used SSO terms used when configuring SSO in Everbridge, their definitions, and where they are used in Everbridge Suite.
| Term | Definition | Where Used |
|
ACS URL*(Single Sign-On URL) |
An Assertion Consumer Service (ACS) URL is an endpoint on a Service Provider (SP) that tells an Identity Provider (IdP) where to redirect an authenticated user after sign-in. These are the URLs a user uses to log in to an application via SSO. The ACS URL is also known as the Single Sign-On URL. Manager Portal ACS URL (SSO URL): Member Portal ACS URL (SSO URL)
|
IdP Metadata File |
|
API Name {API_ NAME} |
API Name is a unique name used by the API that you create to identify your SSO configuration. API names must be unique across all Organizations and Accounts. Everbridge uses this attribute to generate an Everbridge Login URL. If you attempt to enter an already used API Name, Everbridge will generate an error. |
Manager Portal SSO Settings, Member Portal SSO Settings |
| Break Glass |
When setting up Single Sign-On (SSO) access, it is important to consider how you will gain access to Everbridge should there be an SSO outage. Creating Break Glass Access is the best answer for scenarios like this. 'Break Glass Access' or 'Break Glass Credentials' refer to a set of backup credentials (username and password) that allow users to sign into the Everbridge platform directly without using Single Sign-On (SSO). See knowledge article EBS: Single Sign-On (SSO) Break Glass Access in Everbridge Suite for information on setting up Break Glass Access. |
When Logging into the Manager or Member Portal with a username and password |
| Certificate | (See Service Provider Certificate) | --- |
| Enable Signature Validation |
When Signature Validation is enabled, this allows for additional SSO security. Confirm that your IdP settings are also enabled for signed SAML Assertion or both SAML Response and Assertion. |
Manager Portal SSO Settings |
| Entity ID (Entity ID URLs)* |
The Entity ID (Entity ID URL) is a unique identifier for an Identity Provider or Service Provider. It is used to identify each party in the SSO process.The Entity ID is also known as the issuer. Manager Portal Entity ID: Member Portal Entity ID:
|
Idp Metadata File |
| Everbridge Login URL |
The Everbridge Login URL is the web address (URL) for logging in to the Manager Portal directly using a username and password (break glass account). This is an auto-populated field and invisible at creation. Example: https://manager.everbridge.net/login |
Manager Portal SSO Settings |
| Everbridge Service Login URL |
The Everbridge Service Login URL is the unique URL that users will access to log in to the Manager Portal using SSO. This is an auto-populated field and invisible at creation. Example: https://manager.everbridge.net/saml/login/{API_NAME} |
Manager Portal SSO Settings |
| Identity Provider (IdP) | The Identity Provider (IdP) is the service that authenticates users and provides their identity information. | Manager Portal SSO Settings, Member Portal SSO Settings |
| Identity Provider Login URL | The Identity Provider Login URL is the URL where Everbridge sends a SAML request to start the login sequence. | Manager Portal SSO Settings, Member Portal SSO Settings |
| Identity Provider Metadata | Identity Provider Metadata is an XML file that uniquely identifies your SAML IdP. The IdP Metadata file is downloaded from your IdP and uploaded into your Everbridge SSO configuration. | Manager Portal SSO Settings, Member Portal SSO Settings and IdP |
| Key Phrase | Key Phrase is a word used for enabling SSO for ManageBridge. The Key Phrase must be 6 to 12 characters long, and contain at least one letter and one number. Special characters are allowed but limited to !@#$%^&*() | ManageBridge SSO Settings |
| Metadata | (See Identity Provider and Service Provider Metadata) | --- |
| Name | Name of the SSO configuration. | Manager Portal SSO Settings, Member Portal SSO Settings |
| NameID (Attribute) |
The NameID is the unique identifier or Attribute for a user in the IdP and must be unique within the IdP. The NameID is also known as the Attribute that the Idp sends to Everbridge and must exactly match the user's Everbridge SSO User ID. IMPORTANT: The SSO User ID in Everbridge is case sensitive so the NameID must be an exact match to the SSO User ID including case sensitivity. |
IdP |
|
Organization ID {ORG_ID} |
A unique ID generated at the time the Organization is created and uniquely identifies that Organization. See knowledge article EBS: Locating Your Organization Details in Everbridge Suite | Manager Portal Organization Settings |
| SAML |
Security Assertion Markup Language (SAML) is an open standard that allows users to sign in once and access multiple applications using the same credentials. SAML works by allowing an identity provider (IdP) to verify a user's identity and then pass that information to a service provider (SP) that runs the application or service the user wants to access. SAML makes SSO technology possible by providing a way to authenticate a user once and then communicate that authentication to multiple applications. |
In SSO Technology |
| SAML Assertion |
SAML Assertions are the messages that are exchanged between an Identity Provider (IdP) and Service Provider (SP) that confidentially identify who a user is, what pertinent information exists about them, and what they are authorized or entitled to access. Assertions are recorded and transferred as XML documents to standardize communications between the IdP and SP. The SAML response is sent in lieu of a username and password being shared over the wire. |
In SSO Communications |
| SAML Identity Location |
For the SAML Identity Location Everbridge recommends using the "Identity is in the Nameldentifier element of the Subject statement" option as opposed to an attribute as the attribute is typically not what you think it is. For example, you might think it is an e-mail address, but in your Identity Provider, it is something completely different. The location in the assertion where a user should be identified. Select either of the following:
|
Manager Portal SSO Settings, Member Portal SSO Settings |
| SAML Tracer | Everbridge recommends you use a SAML Tracer(Chrome extension) to trace your SAML responses when testing your configuration, regardless of how User Login is initiated. | Browser |
| SAML Version | 2.0 | Manager Portal SSO Settings, Member Portal SSO Settings |
| Security Hash Algorithm (SHA) | The Security Hash Algorithm (SHA) is a hashing algorithm is a mathematical function that garbles data and makes it unreadable. | Manager Portal SSO Settings, Member Portal SSO Settings |
| Service Provider (SP) | The Service Provider (SP) is the application that users are trying to access. In this case it is Everbridge. | Application being accessed via SSO |
| Service Provider Certificate | The Service Provider Certificate is the Certificate that you want to use for SSO. Can be used for SSO request signature validation or for SSO response encryption. | Manager Portal SSO Settings, Member Portal SSO Settings |
| Service Provider Initiated Request Binding |
Service Provider Initiated Request Binding is a mechanism used to request how SAML messages are sent between an Identity Provider (IdP) and a Service Provider (SP).
|
Manager Portal SSO Settings, Member Portal SSO Settings |
| Service Provider Metadata |
Service Provider Metadata is an XML file that defines your Everbridge SSO configuration. The Manager Portal has an account metadata file and the Member Portal has either an account metadata file or an Organization metadata file depending on how it is configured. |
Manager Portal SSO Settings, Member Portal SSO Settings |
| Single Logout Redirector | Single Logout Redirector is the Everbridge SSO Landing Page or a Customized Logout URL | Manager Portal SSO Settings, Member Portal SSO Settings |
| Single Sign-On (SSO) | Single Sign-On (SSO) is an authentication method that allows users to log in to multiple applications and websites with one set of credentials. When configured for use with Everbridge, SSO enables users to use their internal company credentials to log in to their respective Everbridge portals. | Authentication Method |
| Single Sign-On URLs | (See ACS URL) | --- |
| SSO User ID |
SSO User ID is the corporate username associated with a user for authenticating with their IdP allowing them access to multiple applications and websites with the same username. SSO usernames are ALWAYS case sensitive. The SSO User ID defined in Everbridge must exactly match the NameID defined in your IdP including case sensitivity. Just like the NameID, the SSO User ID is also known as the Attribute being sent from the Idp. IMPORTANT: The SSO User ID in Everbridge is case sensitive so the NameID must be an exact match to the SSO User ID including case sensitivity. |
Manager Portal User Settings and Contact Settings |
| User Login | In determining which User Login workflow to choose, Service Provider Initiated or IdP Initiated, it is dependent on what your IdP Provider supports (e.g. does it have an actual login page?). Another consideration is what your users would prefer. | How users login |
| VCC Service Login URL |
VCC Service Login URL is the unique URL that users will access to log in to VCC using SSO. This is an auto-populated field, invisible at creation. Example: https://sampleclient.vcc.everbridge.net/ |
Manager Portal SSO Settings |
*The main difference between an Entity ID URL and an ACS URL is that an Entity ID URL is a unique identifier for a party in a SAML transaction, while an ACS URL is the location where the Identity Provider (IdP) sends its authentication response.
Article Feedback
While we can’t respond to you directly, we’d love to know how we can improve the article.
Please sign in to leave a comment.