This article outlines how to set up SAML-based Single Sign-On for Genea using Entra as your Identity Provider. We support both IdP initiated SSO as well as SP initiated SSO.
How to Configure Your Microsoft Entra Account
1) Within your Microsoft Entra account, go to 'Enterprise Applications' > 'All Applications' > 'Add an application.' Search for the Genea Access Control app within the gallery.
2) Click on the Genea app from the search result and 'Create' it.
3) Once the Genea Access Control app has been added, navigate to 'Enterprise Applications' > 'All Applications.' Click into the app and then click on 'Set up single sign on.'
4 ) Edit Basic SAML Configuration and update identifier and Reply URL.
Identifier (Entity ID): https://login.sequr.io
Reply URL (Assertion Consumer Service URL): https://login.sequr.io/assertion
5) Copy the 'Login URL.'
6) Download the X.509 Certificate. It will be labeled 'Certificate (Base64).'
After completing the above steps within your directory, you will next need to configure the SSO integration within your Genea admin dashboard.
7) Login to your Genea dashboard and navigate to the 'Integrations' page. Under the 'Single Sign-On SAML' integration box, click 'Install.'
8) Configure the values that you obtained within your directory.
Paste your Login URL into the 'Identity Provider Single Sign-On URL' box.
Drag and drop or manually enter your X.509 Certificate.
9) Mandate Browser for App Login
By choosing this option, users will be required to conduct Single Sign-On exclusively through the Microsoft Edge browser for the application. In the absence of Microsoft Edge, users may receive a prompt to install the browser for a smoother login experience.
This option proves beneficial when an organization aims to facilitate user logins exclusively through an approved client app by implementing a Conditional Access Policy in Microsoft Entra ID.
Opting not to select this option will allow the login process to proceed in the usual manner.
10) Click 'Install' to save the data.
11) Please take note of your "RelayState" ID value, as shown in the above screenshot.
You will need to navigate back into your directory. Go to your 'Enterprise Applications - All applications' > Single sign-on.'
11) Edit the Relay state as shown in the screenshot below.
12) Save the Relay State value.
After completing the steps above, SSO will be enabled for all of your office admins and employees.
Once SSO is enabled, existing users who have already established their Genea apps and accounts will see no impact (i.e. they will not be logged out of the app), but going forward mobile users would be redirected to sign into their account via Microsoft Entra SSO.
Note:
1. In order to make SSO work, the SSO app must be assigned to users
2. User email ID must exist in Genea system to be able to log in.
Exempting Users From Single Sign-On
There may be certain users that you would like to exclude from the single sign-on process. For example, you may want to send a mobile key to vendors or contractors who are not on your Identify platform. Fortunately, it's easy to add an SSO exemption within Genea once you have enabled your SAML integration. Follow the steps below to exclude a user from the SSO process.
1) Within your Genea Admin dashboard, navigate to the 'Integrations' section. Click 'Manage' on the Single Sign-On SAML integration box and find the 'Exempted Users' section.
2) Under the 'Exempted Users' section click on the '+ New' button. Search and add any existing user to exempt them from the SSO process.
IMPORTANT NOTE: If you have already assigned a mobile key prior to adding the user to the SSO exemption, then please go to user's profile and click on the 'Resend Sign-up Email' option. The user will then receive a notification with their registration link to sign up for his or her Genea account.
SSO Back Door URL
In some cases, there might be a mistake in the SAML configuration – or something changes in your SAML IDP endpoints. In any case, you do not want to be completely locked out of your account. Having a back door available for administrators to use if they become locked out of the system is extremely important.
You can enable a SSO back door as shown below. The 'SSO Back Door' URL will only works for system Administrators. The Genea 'SSO Back Door' URL is: https://login.sequr.io/?sso=false
How to Disable Single Sign-On
To disable SAML SSO, navigate to the 'Integrations' tab within your Genea dashboard. Click 'Manage' under the Single Sign-On SAML integration box. Lastly, click on 'Uninstall.'
Once disabled, existing users will be able to continue using their company email and password to login to their Genea app. They may also register for their own Genea account. All users added after SSO is disabled will need to register for their own Genea account.
If you need assistance setting up SAML-based SSO for your organization, or if you'd like to share feedback, you can always reach the Genea Support Team via live chat in your Genea web app. You can also contact us via email at acsupport@getgenea.com.