Currently, Practices only supports the use of SAML as a way to provide Single Sign-On (SSO) to clients.
Overview
SAML (Security Assertion Markup Language) is an open-standard data format for exchanging authentication and authorization data between parties, in particular between an identity provider and a service provider.
Materials
- SAML Client Questionnaire: https://docs.google.com/document/d/1He_AmNWjXbVRMw8Xu8NKKHL9SaTkQl8xtvpbCaBfuTQ/edit#heading=h.kly9mtu5lclz
- SAML Errors: https://docs.google.com/document/d/1KOP_U5PbOHQyAcq-x4E51pe7LgYBH6VNJ06ULbjORg4/edit
Terminology
Term | Definition |
---|---|
IDP (Identity provider) | Centralized storage of user IDs (a.k.a. federated ID store) |
Service Provider | Practice is a service provider. |
SAML SSO URL or Identity Provider Single Sign-On URL | Where the user is redirected when they log in. This is a field in the Practice Org settings. The client provides this information. |
ISSUER or entityID | Any entity implementing SAML profiles is required to identify itself using an entityID. This is a field in the Practice Org settings. The client provides this information. |
Deep linking or RelayState | Is a parameter of the SAML protocol that is used to identify the specific resource the user will access after they are signed in and directed to the relying party's federation server. Simply, a link that takes you to a specific page in Practice (E.G., see your peer feedback) |
Practice Entity ID | https://practice.xyz |
SSO Login Endpoint or Assertion Consumer Service URL: | https://app.practice.xyz/sso/saml/consume |
Supported Identity Providers
- OKTA
- Ping
- Siteminder
- Onelogin
- Unique, as long as it implemented the SAML 2.0 specification it works
Requirements
To successfully configure you will need:
- A SAML service
- Practice Assertion Consumer Service URL: https://app.practice.xyz/sso/saml/consume
- Practice SP Entity Id: https://practice.xyz
- The IDP Should include additional ATTRIBUTE STATEMENTS in Assertions sent to Practice
Attribute Name | Attribute Details | Attribute Value |
---|---|---|
User.primaryEmailAddress | The user’s email address | Required,Must be a valid email, Must match a current Practice user or a new account will be created. |
User.fullName | The user's full name. | Required, Should be Users Full Name, Will update with every log-in unless the value match. |
User.preferredTimeZone | The user's preferred time zone. | Optional. Must be one of America/New_York, US/Central, US/Mountain, US/Arizona, US/Pacific, US/Alaska, US/Hawaii, UTC Will update with every log-in unless the value match. |
OrganizationMembership.roleName | The user's role in the organization. | Optional. Must be one of ADMIN, COORDINATOR, MEMBER. Unless the value sent in the assertion matches what is in Practice, it will cause a login error. |
For your Practice IC to finish the configuration you will need to provide:
- The info in this Questionnaire doc
- An IdP Metadata file, or:
- SAML IdP Entity ID
- SAML Certificate Fingerprint or X509 Certificate
Configuration
IC enables SAML for the client Org in the Internal Admin Pane
- https://system-admin.practice.xyz/organizations
- Click the Settings Icon and Select View Integration
- Enable the SAML toggle Note It turns blue when on.
- Click Done
Visit the Organization's Settings
- Click SAML SSO
- Set the SAML SSO URL
- This value is Identity Provider Single Sign-On URL.
- Set the Issuer
- This value is the Identity Provider Issuer or entityID.
- Set the Public Certificate
- This value is the X.509 cert with the header
Authentication and Workflow
Practice currently supports IDP initiated log-in :
- IDP initiated: Someone clicks a link that they build in IDP
- Service Provider Initiated Launch: Service Provider initiated launch or SP initiated launch is handled via the following URL https://app.practice.xyz/saml/login?issuer={issuer/entity id}, Practice will not redirect from the /organizations/{org id} URL
- Mobile App: User is prompted for company code also known as the entityID
1 person found this helpful