This article outlines how to set up and configure SAML based Single Sign-On for Genea with G Suite as your Identity Provider(IdP). We support both IdP initiated SSO as well as SP initiated SSO.
Please follow this official guide from G Suite to configure SSO with the Genea application.
How to Configure SAML For G Suite
1) As an administrator on your office's Google account, navigate to your admin portal and click through to 'Apps' > 'SAML Apps.'
2) On the 'SAML Apps' page you will see a list of your existing SAML apps. Click the round, yellow '+' button at the bottom right corner of your dashboard to add a new one.
3) Search for and click into the Sequr application.
Google IDP Information
4) Next you'll see your specific Identity Provider information. Copy and save the 'SSO URL,' and download the 'Certificate.' You will need this information in order to enable the SSO integration within your Sequr dashboard.
During the next steps, be sure to leave your G Suite Admin console open. You'll continue with the configuration wizard within G Suite after performing the following steps within your Genea dashboard.
Set up Genea as a SAML 2.0 Service Provider (SP)
5) Login to your Genea admin dashboard and navigate to the 'Integrations' page. Under the 'Single Sign-On SAML' integration box, click 'Install.'
6) Enter the G Suite Identity Provider's values that you obtained earlier.
In the 'Identity Provider Single Sign-On URL' box, enter your G Suite 'SSO URL.'
Drag and drop or manually enter your G Suite 'X.509 Certificate.'
7) Click 'Install' to save the values.
8) Take note of the "RelayState" ID for your account, as shown in the screenshot above, then create and copy your ACS URL with your custom RelayState ID. In the above screenshot, the value is 203.
The ASC URL will be:
https://login.sequr.io/assertion?RelayState=<YOUR-RELAYSTATE-ID>
If we were using the RelayState from the above screenshot, for example, the ASC URL would be: https://login.sequr.io/assertion?RelayState=<203>
Complete the SSO Configuration Within Your G Suite Admin Console
9) Navigate back to your G Suite dashboard. Within the G Suite SAML app configuration, enter your 'ACS URL' with its custom RelayState ID. If you do not use the correct RelayState ID, the integration may encounter errors.
10) Click the 'Next' button. The next page will ask you to map any attributes. You will not need to map any attributes. Click the 'Finish' button to save your settings.
11) Once the app is configured, it will not work until you turn it on for your domain. You can turn in on for everyone in your organization or for specific organizations. In most cases you will want to turn it on for everyone.
After completing the steps above, SSO will be enabled for all of your office admins and employees.
Once SSO is enabled, existing users who have already established their Genea apps and accounts will see no impact (i.e. they will not be logged out of the app), but going forward mobile users would be redirected to sign into their account via G Suite SSO.
Note:
1. In order to make SSO work, the SSO app must be assigned to users
2. User email ID must exist in Genea system to be able to log in.
How to Exempt Users From Single Sign-On
There may be certain users that you would like to exclude from the single sign-on process. For example, you may want to send a mobile key to vendors or contractors who are not on your Identify platform. Fortunately, it's easy to add an SSO exemption within Genea once you have enabled your SAML integration. Follow the steps below to exclude a user from the SSO process.
1) Within your Genea Admin dashboard, navigate to the 'Integrations' section. Click 'Manage' on the Single Sign-On SAML integration box and find the 'Exempted Users' section.
2) Under the 'Exempted Users' section click on the '+ New' button. Search and add any existing user to exempt them from the SSO process.
IMPORTANT NOTE: If you have already assigned a mobile key prior to adding the user to the SSO exemption, then please go to user's profile and click on the 'Resend Sign-up Email' option. The user will then receive a notification with their registration link to sign up for his or her Genea account.
SSO Back Door URL
In some cases, there might be a mistake in the SAML configuration – or something changes in your SAML IDP endpoints. In any case, you do not want to be completely locked out of your account. Having a back door available for administrators to use if they become locked out of the system is extremely important.
You can enable a SSO back door as shown below. The 'SSO Back Door' URL will only works for system Administrators. The Genea 'SSO Back Door' URL is: https://login.sequr.io/?sso=false
How to Disable Single Sign-On
To disable SAML SSO, navigate to the 'Integrations' tab within your Genea dashboard. Click 'Manage' under the Single Sign-On SAML integration box. Lastly, click on 'Uninstall.'
Once disabled, existing users will be able to continue using their company email and password to login to their Genea app. They may also register for their own Genea account. All users added after SSO is disabled will need to register for their own Genea account.
If you need assistance setting up SAML-based SSO for your organization, or if you'd like to share feedback, you can always reach the Genea Support Team via live chat in your Genea web app. You can also contact us via email at acsupport@getgenea.com.