This article outlines how to set up SAML-based Single Sign-On for Genea using Okta as your Identity Provider. We support both IdP initiated SSO as well as SP initiated SSO.
How to Configure Your Okta Account
- On the Applications menu, click on the Genea Access Control app to view your settings.
- On the 'Sign On' page, change the selection from 'Secure Web Authentication' to 'SAML 2.0.'
- Edit your "Application username format" to "Email" and click on save.
- With SAML 2.0 selected, click 'View Setup Instructions' to access your Okta metadata. This metadata instructs Genea Access Control on how to communicate with Okta.
- Okta will open a new page that includes the metadata needed to configure Genea Access Control. Please copy and download the following:
- Copy your "Identity Provider Single Sign-On URL."
- Download your X.509 Certificate.
Configure Your Genea Dashboard
- Login to your Genea dashboard and navigate to the 'Integrations' page. Under the Single Sign-On SAML integration box, click 'Install.'
2. Enter the Okta Identity Provider's values that you obtained earlier.
- Enter your Identity Provider Single Sign-On URL.
- Drag and drop or manually enter the X.509 Certificate you downloaded earlier.
3. Click 'Install' to save the data.
4. Please take note of your "RelayState" ID value as shown in the above screenshot. You will need to go back to your Okta dashboard and enter this value as your Default Relay State as shown in the screenshot below.
At this point, SSO has been enabled for all of your office admins and employees.
Once SSO is enabled, existing users who have already established their Genea apps and accounts will see no impact (i.e. they will not be logged out of the app), but going forward mobile users would be redirected to sign into their account via Okta SSO.
Note:
1. In order to make SSO work, the SSO app must be assigned to users
2. User email ID must exist in Genea system to be able to log in.
Exempting Users From Single Sign-On
There may be cases where you want to exclude certain users from the single sign-on process. For example, you may want to send a mobile key to vendors or contractors who are not on your Identify platform. Fortunately, it's easy to add an SSO exemption with Genea once you have enabled your SAML integration.
- Go to Integrations > SAML Integration > Exempted Users
- Under your SAML integration, click on the 'New' button. Search and add any existing user to exempt them from SSO.
Notes:
- If you have already assigned a mobile key prior to adding the user to the SSO exemption, then please go to user's profile and click on the 'Resend Sign-up Email.' This time the user will receive a notification with their registration link to sign up.
SSO Back Door URL
In some cases, there might be a mistake in the SAML configuration – or something changes in your SAML IDP endpoints. In any case, you do not want to be completely locked out. Having a back door available for Admins to use if they become locked out of their system is extremely important.
You can enable a SSO back door as shown below. The 'SSO Back Door' URL will only works for Administrators. The Genea 'SSO Back Door' URL is : https://login.sequr.io/?sso=false
How to Disable Single Sign-On
To disable SAML SSO, navigate to the 'Integrations' tab on your Genea dashboard. Click 'Manage' under the Single Sign-On SAML integration box. Next click on 'Uninstall.'
If you need assistance setting up SAML-based SSO for your organization, or if you'd like to share feedback, you can always reach the Genea Support Team via live chat in your Genea web app. You can also contact us via email at acsupport@getgenea.com.