This article outlines how to set up and configure SAML based Single Sign-On with Genea. If your identity provider (IdP) supports SAML 2.0, then you can enable Single Sign-On (SSO) for all of your administrators and employees.
When you use SAML to connect Genea with your identity provider (IdP), it’s easy to provide your admins and employees with Single Sign-On access to the Genea Dashboard, as well as the Genea Mobile app. You’ll also increase your office security by reducing the risk of password theft.
Configuring SAML for Common IdP's
You can connect Genea to any SSO provider with SAML 2.0. We’ve provided guides for a few common IdP's:
- SSO for Genea via Okta
- SSO for Genea via OneLogin
- SSO for Genea via Microsoft Azure
- SSO for Genea via G Suite
SAML Configuration Instructions
We support both IdP initiated SSO as well as SP initiated SSO. Please follow the instructions below to configure your IdP (Identity Provider) and SP (Service Provider - Genea).
Step 1: Configure Your Identity Provider
Please obtain the following values from your Identity Provider. The values will be needed when setting up the integration within your Genea admin dashboard. Please follow our IdP specific guide to obtain these values.
- Identity Provider's Single Sign-On Service URL (HTTP URL)
- Identity Provider X.509 signing certificate (Base64 encoded)
The "RelayState" value is necessary in order to allow both IdP initiated as well as SP initiated SSO work. You will obtain the RelayState value from within your Genea admin dashboard (as shown in step 3 below) while setting up the integration. Please follow your IdP specific guide to configure this value within your IdP dashboard.
Step 2. Configure Service Provider ( Genea Dashboard)
1) Login to your Genea admin dashboard and navigate to the 'Integrations' page. Under the 'Single Sign-On SAML' integration box, click 'Install.'
2) Enter your Identity Provider's values.
- Enter your Identity Provider HTTP SAML URL.
- Drag and drop or manually enter the X.509 certificate.
3) Click 'Install' to save the values.
4) Please make a note of the "RelayState" value, as shown in the image above, and follow your IdP specific guide to configure this value within your IdP dashboard. At this point, Single Sign-On will be enabled for all of your admins and employees.
Once SSO is enabled, existing users who have already established their Genea apps and accounts will see no impact (i.e. they will not be logged out of the app), but going forward mobile users would be redirected to sign into their account via Azure SSO.
How to Exempt Users From Single Sign-On
There may be certain users that you would like to exclude from the single sign-on process. For example, you may want to send a mobile key to vendors or contractors who are not on your Identify platform. Fortunately, it's easy to add an SSO exemption within Genea once you have enabled your SAML integration. Follow the steps below to exclude a user from the SSO process.
1) Within your Genea Admin dashboard, navigate to the 'Integrations' section. Click 'Manage' on the Single Sign-On SAML integration box and find the 'Exempted Users' section.
2) Under the 'Exempted Users' section click on the '+ New' button. Search and add any existing user to exempt them from the SSO process.
IMPORTANT NOTE: If you have already assigned a mobile key prior to adding the user to the SSO exemption, then please go to user's profile and click on the 'Resend Sign-up Email' option. The user will then receive a notification with their registration link to sign up for his or her Genea account.
SSO Back Door URL
In some cases, there might be a mistake in the SAML configuration – or something changes in your SAML IDP endpoints. In any case, you do not want to be completely locked out of your account. Having a back door available for administrators to use if they become locked out of the system is extremely important.
You can enable a SSO back door as shown below. The 'SSO Back Door' URL will only works for system Administrators. The Genea 'SSO Back Door' URL is: https://login.sequr.io/?sso=false
How to Disable Single Sign-On
To disable SAML SSO, navigate to the 'Integrations' tab within your Genea dashboard. Click 'Manage' under the Single Sign-On SAML integration box. Lastly, click on 'Uninstall.'
Once disabled, existing users will be able to continue using their company email and password to login to their Genea app. They may also register for their own Genea account. All users added after SSO is disabled will need to register for their own Genea account.
If you need assistance setting up SAML-based SSO for your organization, or if you'd like to share feedback, you can always reach the Genea Support Team via live chat in your Genea web app. You can also contact us via email at email@example.com.