Single Sign-On

By default, Geneious Biologics requires a set password to sign in to the application. However, we do also offer both Google and Microsoft (Azure) single sign-on. This functionality must be requested by an admin user for your organization, see here to turn this on.

Jump to:

• Logging in with a Microsoft (Azure) account
• Logging in with a Google account
• Enabling SSO for your Organization
• Enabling access to Geneious Biologics in your SSO provider
• Troubleshooting
• Adding New Users
• Security Information
  
  

Logging in with a Microsoft (Azure) account

If you have a personal Microsoft account or a work/school account you can use that account to log in to Geneious Biologics by clicking the 'Sign in with Microsoft' button (highlighted below). Clicking on this button will redirect you to a Microsoft website that will ask you to log in to your Microsoft account. After logging in, you will be asked to grant consent to Geneious Biologics to use limited information from your user profile.

When you have granted consent you will be redirected back to Geneious Biologics and logged in to the application.

Logging in with a Google account

Whether you are simply a GMail user (with a gmail.com email address), or your organization uses Google Workspace (formerly known as G Suite), you will be able to sign in as a Geneious Biologics user with the same email address by using the 'Sign in with Google' button highlighted in the screenshot below.

Troubleshooting

If you are unable to log in via your SSO account, you should first review the checklist of possible reasons under Why can't I log in? in the How do I get access to Geneious Biologics? article, excluding any that refer to the use of a password. If none of those reasons explains your unsuccessful SSO login, here are some additional possible reasons to consider:

• Single sign-on has not been enabled for your organization (using your provider of choice) by the Geneious Biologics support team. Please contact your administrator or the support team if you require this to be enabled.
• Your SSO account's email address does not match (case insensitively) your Geneious Biologics email address. This is the only way we can verify that your SSO account has the authority to log in to Geneious Biologics. Please contact us if you need to change the email address registered with Geneious.
• Your SSO account administrator may need to explicitly grant you access to the 'Geneious Biologics' application.

If you have ruled out the above reasons and are still unable to log in with your SSO account, please contact support with details of what you are experiencing when attempting to log in.

Enabling SSO for your Organization

If you are an administrator for your organization and would like to enable your organization's users to use single-sign on, please contact us to enable this feature.

Please specify the following:

• Which provider you would like enabled
  • Either Microsoft accounts (Azure Active Directory) or Google accounts
• Whether you would like single sign-on to be mandatory for all users or if you would prefer it to be optional.
• Whether you would like the default Biologics password turned off, after confirmation from you that single-sign-on is working.

You can reach out to support to enable SSO here: contact support. If you have any specific requirements that aren't mentioned in this article, or wish to use a provider or protocol that isn't currently supported, please let us know.

Enabling access to Geneious Biologics in your SSO provider

Depending on your provider of choice and how your organization has configured it, you may be required to perform additional steps in order to enable all or some of your organization's users to sign in to Geneious Biologics using SSO. Please refer to provider-specific information below.

Microsoft

Typically, if you have a Microsoft account and a Geneious Biologics user with a matching email address, then you will be able to sign in without further ado.  However, if your organization's Azure AD tenant requires that users be explicitly granted access to an application before they can sign in to it, or if you simply wish to configure the application in advance, then please refer to this article on how to add Geneious Biologics as an Enterprise application in your tenant.

Make sure that you enter the application name as 'Geneious Biologics' (without quotes) and select the 'Integrate any other application you don't find in the gallery' option when creating it.  Once you have added the application, you will then be able to assign users/groups and policies for conditional access.

Google

If your organization uses Google Workspace, then you may wish or need to use app access control to manage how your users can access the Geneious Biologics application.  For more details on how to do so, see this support article.  As with Microsoft accounts, you will normally not need to configure application access unless your organization has security policies in place to control which applications its users can access and how they can access them.

Adding New Users

Users will not be able to log in via SSO until they have been invited to join your organization in Geneious Biologics. This allows organization admins to delegate licenses. For more information, see our User Management article.

We do not currently support automatic provisioning of Geneious Biologics users (via your SSO provider).

Security Information

This section describes in more technical detail how Single Sign-On works in Geneious Biologics and what the security implications are for you and your organization.

Geneious Biologics leverages the OpenID Connect (OIDC) protocol to enable users to authenticate using selected 3rd party providers that implement this protocol.  In doing so, we request your permission for the following OAuth 2.0 scopes:

• openid - this indicates that we wish to use OIDC to verify your identity with your provider
• email - this enables us to verify that your SSO email address matches the address of an active Geneious Biologics user. For some providers (such as Microsoft) this field is not always available or reliable and we will use information from your profile instead (see below).
• profile - this grants us access to your basic profile information, such as your surname and given name(s), but more importantly in the case of Microsoft accounts it allows us to see your preferred username, which is how we identify your Geneious Biologics account (if it exists).

We will also request 'offline access', which enables us to keep your session alive without needing to periodically redirect you back to your provider while you are busy using Geneious Biologics.

Any permissions you grant to Geneious Biologics are used solely for the purposes of verifying your identity. We do not store your profile information in any form, nor share it with any 3rd party.