This article outlines how to set up SAML-based Single Sign-On for Genea using Okta as your Identity Provider. We support both IdP initiated SSO as well as SP initiated SSO.
To get started, follow these steps to integrate Okta with Genea:
Step 1: Configure your Okta Application
Login to your Okta account as an admin.
Go to Admin-> Applications -> Search for 'Genea Access Control' Application in 'Browse for Catalog' -> Click on 'Add Integration'.
Enter your region within the 'General Settings' of the Genea Access Control Application and click 'Next'.
If you are an EU customer, enter 'eu' (without quotes).
For all other customers, enter 'us' (without quotes).
How to Setup SAML in Your Okta Account
On the Applications menu, click on the Genea Access Control app to view the 'Sign On' page. Change the selection from 'Secure Web Authentication' to 'SAML 2.0.'
Metadata details under the SAML 2.0 instruct the Genea Access Control on how to communicate with Okta.
Edit your "Application username format" to "Email" and click on save.
Copy and download the following from SAML 2.0 Sign-On in Okta to install 'SAML' in Genea Web Application.
Copy your "Identity Provider Single Sign-On URL."
Download your X.509 Certificate.
Configure Your SAML App in Genea
Login to your Genea dashboard and navigate to the 'Integrations' page. Under the Single Sign-On SAML integration box, click 'Install.'
2. Enter the Okta Identity Provider's values that you obtained earlier.
Enter your Identity Provider Single Sign-On URL.
Drag and drop or manually enter the X.509 Certificate you downloaded earlier.
3. Please take note of your "RelayState" ID value as shown in the above screenshot. You will need to go back to your Okta dashboard and enter this value as your Default Relay State as shown in the screenshot below.
At this point, SSO has been enabled for all of your office admins and employees.
Once SSO is enabled, existing users who have already established their Genea apps and accounts will see no impact (i.e. they will not be logged out of the app), but going forward, mobile users will be redirected to sign into their account via Okta SSO.
Note:
1. In order to make SSO work, the SSO app must be assigned to users
2. User email ID must exist in the Genea system to be able to log in.
Exempting Users From Single Sign-On
There may be cases where you want to exclude certain users from the single sign-on process. For example, you may want to send a mobile key to vendors or contractors who are not on your Identify platform. Fortunately, it's easy to add an SSO exemption with Genea once you have enabled your SAML integration.
Go to Integrations > SAML Integration > Exempted Users
Under your SAML integration, click on the 'New' button. Search and add any existing user to exempt them from SSO.
Notes:
If you have already assigned a mobile key prior to adding the user to the SSO exemption, then please go to user's profile and click on the 'Resend Sign-up Email.' This time the user will receive a notification with their registration link to sign up.
SSO Back Door URL
In some cases, there might be a mistake in the SAML configuration – or something changes in your SAML IDP endpoints. In any case, you do not want to be completely locked out. Having a back door available for Admins to use if they become locked out of their system is extremely important.
You can enable a SSO back door as shown below. The 'SSO Back Door' URL will only works for Administrators.
Genea Back Door URL is as follows:
1. If you are an EU customer: https://login.eu.sequr.io/?sso=false
2. For all other customers: https://login.sequr.io/?sso=false
How to Disable Single Sign-On
To disable SAML SSO, navigate to the 'Integrations' tab on your Genea dashboard. Click 'Manage' under the Single Sign-On SAML integration box. Next click on 'Uninstall.'
If you need assistance setting up SAML-based SSO for your organization, or if you'd like to share feedback, you can always reach the Genea Support Team via live chat in your Genea web app. You can also contact us via email at acsupport@getgenea.com.