This article outlines how to set up SAML-based Single Sign-On for Genea using OneLogin as your Identity Provider. We support both IdP Initiated SSO, as well as SP Initiated SSO.
How to Configure Your OneLogin Account
Within your OneLogin directory on the 'Applications' menu, click on the Genea Access Control app to view your settings.
Click on 'SSO' in the navigation panel on the left side of your dashboard. It will open a page that includes the metadata needed to configure Genea Access Control. Please copy and download the following:
1) Copy your SAML 2.0 Endpoint (HTTP).
2) Download your X.509 Certificate.
To download the certificate, click on 'View Details' as shown in the screenshot below.
3) Click 'Download' to download the certificate.
After completing the above steps within your directory, you will next need to configure the SSO integration within your Genea admin dashboard.
How to Configure Your Genea Dashboard
1) Login to your Genea dashboard and navigate to the 'Integrations' page. Under the 'Single Sign-On - SAML' integration box, click 'Install.'
2) Configure the values that you obtained earlier.
Enter your SAML 2.0 Endpoint (HTTP) into the 'Identity Provider Single Sign-On URL' field.
Drag and drop or manually enter the X.509 Certificate you downloaded earlier.
3) Click on 'Install' to save the data.
4) Find and take note of your "RelayState" ID value, as shown in the screenshot below.
5) Navigate back to your OneLogin directory. Navigate to the 'Application' page, click into the Genea Access Control app, and click on the 'Configuration' tab. Enter the RelayState value, as shown in the screenshot below. Once input, press the 'Save' button.
Once saved, SSO has been enabled for all of your office administrators and employees.
Once SSO is enabled, existing users who have already established their Genea apps and accounts will see no impact (i.e. they will not be logged out of the app), but going forward mobile users would be redirected to sign into their account via OneLogin SSO.
1. In order to make SSO work, the SSO app must be assigned to users
2. User email ID must exist in Genea system to be able to log in.
Exempting Users From Single Sign-On
There may be some cases where you want to exclude certain users from the Single Sign-on process. For example, you may want to send a mobile key to vendors or contractors who are not on your Identify platform. Fortunately, it's easy to add an SSO exemption within Genea once you have enabled your SAML integration. To exempt a user from SSO, follow the steps below.
1) Within your Genea admin dashboard, click on the 'Integrations' tab. Click 'Manage' on the SAML integration, and scroll until you find the 'Exempted Users' section.
2) Click on the '+ New' button. Search and add any existing user to exempt them from SSO.
IMPORTANT NOTE: If you have already assigned a mobile key prior to exempting the user from SSO, then please go to user's profile and click on 'Resend Sign-up Email.' The user will then receive an email from email@example.com with registration instructions.
SSO Back Door URL
In some cases, there might be a mistake in the SAML configuration – or something may change in your SAML IDP endpoints. In any case, you do not want to be completely locked out. Having a back door available for Admins to use if they become locked out of their system is extremely important.
You can enable a SSO back door by clicking the 'Non-SSO URL' box, as shown in the screenshot below. The 'SSO Back Door' URL will only works for Administrators. The Genea 'SSO Back Door' URL is : https://login.sequr.io/?sso=false
How to Disable Single Sign-On
To disable SAML SSO, navigate to the 'Integrations' tab in your Genea admin dashboard. Click 'Manage' under the Single Sign-On SAML integration box. Next click on 'Uninstall.'
Once disabled, existing users will be able to continue using their company email and password to login to their Genea app. They may also register for their own Genea account. All users added after SSO is disabled will need to register for their own Genea account.
If you need assistance setting up SAML-based SSO for your organization, or if you'd like to share feedback, you can always reach the Genea Support Team via live chat in your Genea web app. You can also contact us via email at firstname.lastname@example.org.