This article outlines how to set up SAML-based Single Sign-On for Genea using Azure as your Identity Provider. We support both IdP initiated SSO as well as SP initiated SSO.
How to Configure Your Azure Account
1) Within your Azure account, go to 'Enterprise Applications' > 'All Applications' > 'Categories' > 'Add an application.' Search for the Sequr app within the gallery and click on 'Add.'
2) Once the Sequr app has been added, navigate to 'Enterprise Applications' > 'All Applications.' Click into the Sequr app and then click on 'Set up single sign on.'
3) Copy the 'Login URL.'
4) Download the X.509 Certificate. It will be labeled 'Certificate (Base64).'
After completing the above steps within your directory, you will next need to configure the SSO integration within your Genea admin dashboard.
5) Login to your Genea dashboard and navigate to the 'Integrations' page. Under the 'Single Sign-On SAML' integration box, click 'Install.'
6) Configure the values that you obtained within your directory.
- Paste your Login URL into the 'Identity Provider Single Sign-On URL' box.
- Drag and drop or manually enter your X.509 Certificate.
7) Click 'Install' to save the data.
8) Please take note of your "RelayState" ID value, as shown in the above screenshot.
You will need to navigate back into your directory. Go to your 'Enterprise Applications - All applications' > Sequr - Single sign-on.'
9) Edit the Relay state as shown in the screenshot below.
10) Save the Relay State value.
After completing the steps above, SSO will be enabled for all of your office admins and employees.
Once SSO is enabled, existing users who have already established their Sequr apps and accounts will see no impact (i.e. they will not be logged out of the app), but going forward mobile users would be redirected to sign into their account via Azure SSO.
Exempting Users From Single Sign-On
There may be certain users that you would like to exclude from the single sign-on process. For example, you may want to send a mobile key to vendors or contractors who are not on your Identify platform. Fortunately, it's easy to add an SSO exemption within Genea once you have enabled your SAML integration. Follow the steps below to exclude a user from the SSO process.
1) Within your Genea Admin dashboard, navigate to the 'Integrations' section. Click 'Manage' on the Single Sign-On SAML integration box and find the 'Exempted Users' section.
2) Under the 'Exempted Users' section click on the '+ New' button. Search and add any existing user to exempt them from the SSO process.
IMPORTANT NOTE: If you have already assigned a mobile key prior to adding the user to the SSO exemption, then please go to user's profile and click on the 'Resend Sign-up Email' option. The user will then receive a notification with their registration link to sign up for his or her Genea account.
SSO Back Door URL
In some cases, there might be a mistake in the SAML configuration – or something changes in your SAML IDP endpoints. In any case, you do not want to be completely locked out of your account. Having a back door available for administrators to use if they become locked out of the system is extremely important.
You can enable a SSO back door as shown below. The 'SSO Back Door' URL will only works for system Administrators. The Genea 'SSO Back Door' URL is: https://login.sequr.io/?sso=false
How to Disable Single Sign-On
To disable SAML SSO, navigate to the 'Integrations' tab within your Genea dashboard. Click 'Manage' under the Single Sign-On SAML integration box. Lastly, click on 'Uninstall.'
Once disabled, existing users will be able to continue using their company email and password to login to their Genea app. They may also register for their own Genea account. All users added after SSO is disabled will need to register for their own Genea account.
If you need assistance setting up SAML-based SSO for your organization, or if you'd like to share feedback, you can always reach the Genea Support Team via live chat in your Genea web app. You can also contact us via email at email@example.com.