Practice Single Sign On SAML Overview

Document created by Tyler Clark Employee on Apr 9, 2018Last modified by Brock Halladay on May 12, 2020
Version 6Show Document
  • View in full screen mode

Currently, Practices only supports the use of SAML as a way to provide Single Sign-On (SSO) to clients.


SAML (Security Assertion Markup Language) is an open-standard data format for exchanging authentication and authorization data between parties, in particular between an identity provider and a service provider.



IDP (Identity provider)Centralized storage of user IDs (a.k.a. federated ID store)
Service ProviderPractice is a service provider.

SAML SSO URL or Identity Provider Single Sign-On URL

Where the user is redirected when they log in. This is a field in the Practice Org settings. The client provides this information.
ISSUER or entityIDAny entity implementing SAML profiles is required to identify itself using an entityID.  This is a field in the Practice Org settings. The client provides this information.
Practice Entity ID
SSO Login Endpoint or Assertion Consumer Service URL:


Supported Identity Providers

  • OKTA
  • Ping
  • Siteminder
  • Onelogin
  • Unique, as long as it implemented the SAML 2.0 specification it works




To successfully configure you will need:


Attribute NameAttribute DetailsAttribute Value
User.primaryEmailAddressThe user’s email addressRequired,Must be a valid email, Must match a current Practice user or a new account will be created.
User.fullNameThe user's full name.Required, Should be Users Full Name, Will update with every log-in unless the value match.
User.preferredTimeZoneThe user's preferred time zone.Optional. Must be one of  America/New_York, US/Central, US/Mountain, US/Arizona, US/Pacific, US/Alaska, US/Hawaii, UTC Will update with every log-in unless the value match.
OrganizationMembership.roleNameThe user's role in the organization.Optional. Must be one of ADMIN, COORDINATOR, MEMBER. Unless the value sent in the assertion matches what is in Practice, it will cause a login error.



For your Practice IC to finish the configuration you will need to provide:

  • The info in this Questionnaire doc
  • An IdP Metadata file, or:
    • SAML IdP Entity ID
    • SAML Certificate Fingerprint or X509 Certificate



IC enables SAML for the client Org in the Internal Admin Pane


  • Enable the SAML toggle Note It turns blue when on.


  • Click Done

Visit the Organization's Settings

  • Click SAML SSO


  • Set the SAML SSO URL
    • This value is Identity Provider Single Sign-On URL.
  • Set the Issuer
    • This value is the Identity Provider Issuer or entityID.
  • Set the Public Certificate
    • This value is the X.509 cert with the header


Authentication and Workflow

Practice currently supports IDP initiated log-in :

  • IDP initiated: Someone clicks a link that they build in IDP
  • Service Provider Initiated Launch: Service Provider initiated launch or SP initiated launch is handled via the following URL{issuer/entity id}, Practice will not redirect from the /organizations/{org id} URL
  • Mobile App: User is prompted for company code also known as the entityID


1 person found this helpful