By default, Geneious Biologics allows you to set a password and use that password to sign in. However, we do also offer alternative methods of authentication. If you or some of your organization's users already have an account with one of the SSO providers mentioned below, you can choose to sign in to Geneious Biologics with those credentials instead.
For more information about how to enable SSO for your organization, see below.
Logging in with a Microsoft account
Whether you have a personal Microsoft account or a work/school account, you can use that account to log in to Geneious Biologics by clicking the 'Sign in with Microsoft' button (highlighted below). Clicking on this button will redirect you to a Microsoft website that will then either ask you to log in to your Microsoft account (and/or choose which account to use if you have more than one), or if/when you are logged in then it will ask you to grant consent to Geneious Biologics to use limited information from your user profile.
When you have granted consent (this will generally be a one-time procedure unless we require additional permissions in future or you change to a different account), you will be redirected back to Geneious Biologics and logged in to the application.
Logging in with a Google account
Whether you are simply a GMail user (with a gmail.com email address), or your organization uses Google Workspace (formerly known as G Suite), you will be able to sign in as a Geneious Biologics user with the same email address by using the 'Sign in with Google' button highlighted in the screenshot below.
Troubleshooting
If you are unable to log in via your SSO account, you should first review the checklist of possible reasons under Why can't I log in? in the How do I get access to Geneious Biologics? article, excluding any that refer to the use of a password. If none of those reasons explains your unsuccessful SSO login, here are some additional possible reasons to consider:
- Single sign-on has not been enabled for your organization (using your provider of choice) by the Geneious Biologics support team. Please contact your administrator or the support team if you require this to be enabled.
- Your SSO account's email address does not match (case insensitively) your Geneious Biologics email address. This is the only way we can verify that your SSO account has the authority to log in to Geneious Biologics. Please contact us if you need to change the email address registered with Geneious.
- Your SSO account administrator may need to explicitly grant you access to the 'Geneious Biologics' application.
If you have ruled out the above reasons and are still unable to log in with your SSO account, please contact support with details of what you are experiencing when attempting to log in.
Enabling SSO for your organization
Enabling SSO allows you to centralize authentication and leverage any additional security features an SSO provider might provide (such as multi-factor authentication) by using that provider to authenticate with Geneious Biologics.
Currently we support:
- Microsoft accounts (Azure Active Directory)
- Google accounts
Enabling SSO in Geneious Biologics
If you are an administrator for your organization and would like to enable your organization's users to use single-sign on, please contact us to enable this feature. Please also specify whether you would like single sign-on to be mandatory for all users or if you would prefer it to be optional.
If you have any specific requirements that aren't mentioned in this article, or wish to use a provider or protocol that isn't currently supported, please let us know, as we are actively looking to expand our single sign-on capabilities where possible.
Enabling access to Geneious Biologics in your SSO provider
Depending on your provider of choice and how your organization has configured it, you may be required to perform additional steps in order to enable all or some of your organization's users to sign in to Geneious Biologics using SSO. Please refer to provider-specific information below.
Microsoft
Typically, if you have a Microsoft account and a Geneious Biologics user with a matching email address, then you will be able to sign in without further ado. However, if your organization's Azure AD tenant requires that users be explicitly granted access to an application before they can sign in to it, or if you simply wish to configure the application in advance, then please refer to this article on how to add Geneious Biologics as an Enterprise application in your tenant.
Make sure that you enter the application name as 'Geneious Biologics' (without quotes) and select the 'Integrate any other application you don't find in the gallery' option when creating it. Once you have added the application, you will then be able to assign users/groups and policies for conditional access.
If your organization uses Google Workspace, then you may wish or need to use app access control to manage how your users can access the Geneious Biologics application. For more details on how to do so, see this support article. As with Microsoft accounts, you will normally not need to configure application access unless your organization has security policies in place to control which applications its users can access and how they can access them.
Adding New Users
Users will not be able to log in via SSO until they have been invited to join your organization in Geneious Biologics. This allows organization admins to delegate licenses. For more information, see our User Management article.
We do not currently support automatic provisioning of Geneious Biologics users (via your SSO provider).
Security Information
This section describes in more technical detail how Single Sign-On works in Geneious Biologics and what the security implications are for you and your organization.
Geneious Biologics leverages the OpenID Connect (OIDC) protocol to enable users to authenticate using selected 3rd party providers that implement this protocol. In doing so, we request your permission for the following OAuth 2.0 scopes:
- openid - this indicates that we wish to use OIDC to verify your identity with your provider
- email - this enables us to verify that your SSO email address matches the address of an active Geneious Biologics user. For some providers (such as Microsoft) this field is not always available or reliable and we will use information from your profile instead (see below).
- profile - this grants us access to your basic profile information, such as your surname and given name(s), but more importantly in the case of Microsoft accounts it allows us to see your preferred username, which is how we identify your Geneious Biologics account (if it exists).
We will also request 'offline access', which enables us to keep your session alive without needing to periodically redirect you back to your provider while you are busy using Geneious Biologics.
Any permissions you grant to Geneious Biologics are used solely for the purposes of verifying your identity. We do not store your profile information in any form, nor share it with any 3rd party.